Vimeo has disclosed that information belonging to a few of its clients and customers has been accessed with out authorization following the latest breach on the Anodot information anomaly detection firm.
The video platform says that the risk actor accessed electronic mail addresses for a few of its clients, however many of the uncovered data included technical information, video titles, and metadata.
“We’ve recognized that, because of the Anodot breach, an unauthorized actor accessed sure Vimeo person and buyer information. Our preliminary findings recommend that the databases accessed primarily comprise technical information, video titles and metadata, and, in some instances, buyer electronic mail addresses,” Vimeo states.
The Vimeo breach was claimed by the notorious extortion group ShinyHunters, who threatened to publish the stolen information by April 30 until the corporate paid a ransom.
Vimeo is a video internet hosting and streaming platform, one of many largest options to YouTube, enabling over 300 million registered customers to add, host, and share high-quality movies.
The corporate employs over 1,100 individuals, has an annual income of $417 million, and is publicly traded on the Nasdaq inventory market.
Yesterday, ShinyHunters listed Vimeo on their extortion portal, claiming to have information from the corporate’s Snowflake and BigQuery cases.
Other than threatening to leak the information, the actor additionally issued a warning to the corporate, stating that the platform ought to anticipate “a number of annoying digital issues.”
The Anodot incident concerned attackers stealing authentication tokens and utilizing them to entry buyer environments, primarily Snowflake, and exfiltrate information from a number of organizations.
The exercise has been linked to the ShinyHunters extortion group, which is now making an attempt to monetize the breach by extortion and by threatening to leak the stolen information from numerous downstream victims.
A type of victims was sport improvement studio Rockstar Video games, with ShinyHunters claiming to have exfiltrated greater than 78.6 million data.
Within the case of Vimeo, nonetheless, the affect stays unclear because the actor didn’t state the quantity of stolen information.
Vimeo has specified that the uncovered information doesn’t embrace video content material customers uploaded on the platform, account credentials, or fee card data. Additionally, the platform’s operations remained unaffected.
The corporate has now disabled all Anodot credentials and eliminated the service’s integration with its techniques.
Vimeo is now investigating the incident with the assistance of third-party safety specialists and has additionally notified regulation enforcement authorities.
The agency promised to offer updates if the investigation uncovers vital new details about the incident.
AI chained 4 zero-days into one exploit that bypassed each renderer and OS sandboxes. A wave of recent exploits is coming.
On the Autonomous Validation Summit (Might 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls maintain, and closes the remediation loop.
