Security Alert: Vercel Breach Results in Compromised Customer Credentials

Coalition has notified policyholders of a security incident involving unauthorized access to certain internal systems of Vercel, a cloud development platform. 

Attackers compromised a Vercel employee’s Google Workspace account, allowing them to gain access to Vercel environments and ultimately exfiltrate configuration data from an undefined subset of its customer base. 

Vercel has published guidance, believes it has notified all affected customers, and is actively investigating the extent of the breach. Coalition suggests that policyholders should rotate any API keys, credentials, and third-party service tokens that they may have stored in environment variables in Vercel-hosted applications.

What’s happening?

Vercel, a cloud platform that provides hosting and deployment infrastructure for developers (with a focus on JavaScript frameworks), published a security bulletin on Sunday, April 20, stating that a subset of customers’ Vercel credentials had been compromised following a security breach. 

The incident originated with a compromise of Context.ai, a third-party tool used by a Vercel employee. The attacker, allegedly a member of the ShinyHunters group, used that access to take over the employee’s Google Workspace account, and later, to break into Vercel environments not marked as “sensitive” since such environments are not encrypted.

The threat actor posted on a hacking forum and claims to be selling access keys, source code, and data allegedly stolen from Vercel. 

How should businesses address this?

Vercel recommends that customers follow the below best practices to reduce risk while its investigation is underway.

• Review activity logs for suspicious activity: Check your account and environments in the Vercel dashboard or via the Command-Line Interface (CLI). 

• Review and rotate environment variables: Vercel stores environment variables marked as "sensitive" in Vercel in a manner that prevents them from being read. Vercel currently has no evidence that those values were accessed. However, if any of your environment variables contain secrets (API keys, tokens, credentials, signing keys) that were not marked as sensitive, treat those values as potentially exposed and prioritize rotating them.

• Use the sensitive environment variables feature moving forward: This can protect secret values from being read in the future.

Who’s at risk?

Vercel has not yet shared details on which systems were breached or how many customers were impacted. While Vercel has reached out directly to customers with compromised credentials, all customers should implement the best practices listed above to reduce their risk.

Vercel states that Next.js, Turbopack, and its other open-source projects remain safe.

How Coalition is responding

Coalition notified all impacted policyholders on April 19, 2026 with guidance on how to reduce their risk. Coalition policyholders can log in to Coalition Control® for the latest updates. 

For assistance with mitigation, contact Coalition’s Security Support Center at securitysupport@coalitioninc.com.

SPOT & STOP CYBER THREATS 

Coalition Control

Take control of your cyber risk >

This blog post is designed to provide general information on the topic presented and is not intended to construe or render legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed. Any action you take upon the information contained herein is strictly at your own risk. Coalition and its affiliates will not be liable for any losses and damages in connection with your use or reliance upon the information. The blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over, nor assumes responsibility or liability for the content, privacy policy, or practices of any such third-party websites.

Copyright © 2026. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.