Video hosting platform Vimeo has confirmed a data breach exposing approximately 119,200 unique user email addresses, attributing the incident not to a compromise of its own infrastructure but to a security breach at Anodot — an AI-powered business analytics and anomaly detection platform integrated with Vimeo's systems. The breach came to light after the ShinyHunters extortion group added Vimeo to its pay-or-leak portal in April 2026 and subsequently published hundreds of gigabytes of stolen data — including a 106GB archive released on its Tor-hosted dark web leak site — after no ransom payment was made by Vimeo's April 30 deadline. The incident was formally added to the Have I Been Pwned breach notification service on May 5, 2026, flagging 119,200 affected accounts.
According to Vimeo's official disclosure published on April 27, 2026, the databases accessed through the Anodot breach primarily contained technical data, video titles, video metadata, and in some cases customer email addresses accompanied by account holder names. Vimeo was explicit that the breach does not include Vimeo video content, valid user login credentials, or payment card information. The company confirmed that user and customer login credentials remain fully secure and that no disruption to its platform or services occurred as a result of the incident. ShinyHunters specifically claimed to have obtained data from Vimeo's Snowflake and BigQuery instances accessed via the Anodot integration.
The most significant aspect of this breach is not what was stolen but how it was obtained. ShinyHunters did not breach Vimeo's primary infrastructure directly. Instead, the group targeted Anodot — a third-party analytics vendor used by Vimeo and numerous other enterprise clients — as an indirect pathway into Vimeo's data environment. Because analytics platforms like Anodot ingest and process data from multiple enterprise customers simultaneously, they represent extraordinarily high-value targets for threat actors. A single successful compromise of an analytics vendor can yield access to data from dozens or hundreds of enterprise clients, amplifying the impact of a single intrusion far beyond what a direct attack on any one organisation would achieve. Google Threat Intelligence has published a report directly linking the Anodot compromise to ShinyHunters' broader SaaS data theft campaign, confirming this as a deliberate and methodical supply chain targeting strategy rather than an opportunistic attack. At the time of Vimeo's disclosure, ShinyHunters' extortion portal listed three organisations compromised through the same Anodot breach — Vimeo, Rockstar Games, and fashion retail giant Zara — confirming that a single vendor compromise cascaded into multiple simultaneous enterprise data exposures.
ShinyHunters is a well-established and increasingly sophisticated cybercriminal group associated with the broader loosely connected network known as the Com — composed largely of young, English-speaking individuals who specialise in data theft and extortion at enterprise scale. The group has a documented track record of targeting major organisations through social engineering, voice phishing, and credential theft targeting SaaS platforms including Salesforce, Okta, and Microsoft 365. Recent confirmed victims include the European Commission, Rockstar Games, Zara, Canada Goose, Odido, Figure, and SoundCloud. The group's consistent and deliberate pivot toward supply chain and analytics vendor targeting — rather than direct infrastructure attacks — reflects an evolved understanding that enterprise perimeter security has hardened sufficiently to make indirect routes through trusted third-party integrations a far more productive attack vector.
Upon discovering the incident, Vimeo acted swiftly by disabling all Anodot credentials, severing the Anodot integration entirely from its systems, engaging third-party cybersecurity experts for forensic investigation, and notifying law enforcement. The investigation remains ongoing with further updates committed as new information emerges. For security and compliance teams across the industry, this breach — alongside the simultaneous Anodot-linked exposures at Rockstar and Zara — is a definitive signal that third-party analytics and monitoring vendor integrations must be subject to the same rigorous security standards as core infrastructure. Enforcing strict data minimisation policies with all vendors, conducting regular third-party security assessments, limiting the scope and sensitivity of data shared with analytics integrations, and maintaining the operational capability to rapidly revoke all external vendor access at a moment's notice are now baseline security requirements. As ShinyHunters continues to refine and scale its supply chain targeting methodology, organisations that have not yet audited their third-party analytics integrations are carrying a real and largely invisible risk exposure.