Vimeo has confirmed a data breach affecting over 119,000 users following an attack that the video hosting platform traces back to a security incident at Anodot — a third-party data analytics vendor integrated into Vimeo's infrastructure. The ShinyHunters cybercrime group (a prolific extortion gang responsible for numerous high-profile breaches including the 2024 Snowflake customer campaign and multiple telecom incidents) claimed responsibility, demanded payment, and ultimately leaked a 106 GB archive of stolen data after Vimeo declined to negotiate.
The breach window occurred in April 2026. Email addresses were confirmed exposed; in a subset of cases, names were also included. Vimeo says login credentials, passwords, and financial data were not accessed.
What We Know So Far
The attack did not target Vimeo's own systems directly. ShinyHunters gained access through Anodot, which provides data anomaly detection and business intelligence services and held a data integration with Vimeo's internal analytics environment.
According to ShinyHunters' own claims — published on their dark web data leak site after the extortion attempt failed — the group specifically targeted Anodot's cloud infrastructure. The group alleged that "Snowflake and BigQuery instances data was compromised thanks to Anodot.com," which points to a cloud data warehouse attack (Snowflake and BigQuery are cloud-based analytical data platforms used to store and query large datasets). The attackers accessed data that Vimeo had shared with Anodot for analytics purposes, including customer and user records that were being processed or stored in that environment.
Vimeo's official statement confirmed that "an unauthorized actor accessed certain Vimeo user and customer data" as a result of the Anodot incident. The company's investigation found that the databases accessed primarily contained:
- Technical data and video metadata (titles, timestamps, settings)
- Customer email addresses
- In a subset of records, customer names
Vimeo stated that the breach did not expose account passwords, financial information, or payment card data. The company disabled all Anodot API credentials immediately upon learning of the incident, terminated the integration, and engaged external security assistance while notifying law enforcement.
Have I Been Pwned (the free breach notification service operated by security researcher Troy Hunt, which allows individuals to check whether their email address has appeared in known data breaches) has indexed the Vimeo breach data, making self-checks accessible at haveibeenpwned.com.
The ShinyHunters Extortion Play
ShinyHunters set a deadline for Vimeo to make contact to begin negotiations — the group publicly stated it made "multiple attempts" to reach an agreement before going public. When Vimeo did not engage, the group published the 106 GB archive on their dark web leak site, making the stolen data available to other threat actors.
This follows a well-established ShinyHunters playbook. The group rose to prominence in 2020 through a series of database theft-and-sale operations and has since evolved toward the double-extortion model: steal data, demand payment, and leak when payment is refused. The same group was implicated in the 2024 Snowflake customer breach campaign, in which they obtained credentials from a credential-stealing malware campaign and then used those credentials to access Snowflake cloud environments belonging to dozens of major organizations, including Ticketmaster, Santander Bank, and others. The Anodot intrusion — if the group's Snowflake/BigQuery claim is accurate — is consistent with that same cloud analytics focus.
The simultaneous involvement of the Qilin ransomware group in claims against Cushman & Wakefield on the same day illustrates a pattern common in the current threat landscape: cybercrime groups operate in parallel campaigns against multiple targets, and data leak sites are increasingly used not just for actual extortion but for reputation and attention.
Who Is Affected
Any Vimeo user or customer whose account email was processed through Anodot's analytics environment during the breach window in April 2026 may be affected. Vimeo has said it is notifying affected individuals directly. The 119,000-person figure represents unique email addresses identified in the Have I Been Pwned dataset; the total number of records in the 106 GB archive may be broader.
Vimeo serves video hosting for both individual creators and business customers. Business customers who used Vimeo's analytics integrations — where data flows to third-party analytics vendors for business intelligence — are more likely to have had records in the Anodot environment.
Affected individuals face risks typical of an email address exposure: targeted phishing attempts (email-based attacks where the sender impersonates a trusted entity to trick the recipient into clicking a malicious link or providing credentials), credential stuffing (automated attacks that try email/password combinations stolen from other breaches against services the user is registered on), and social engineering. The absence of passwords in the leaked data reduces but does not eliminate these risks.
What You Should Do Right Now
- Check your exposure on Have I Been Pwned. Visit haveibeenpwned.com and enter your email address. If you see a Vimeo breach entry, your address was in the dataset.
- Change your Vimeo password as a precaution. Even though Vimeo says passwords were not exposed, changing your password is a low-cost protective step. Use a unique password not reused on other services.
- Enable two-factor authentication (2FA) on your Vimeo account. 2FA (a security measure that requires a second verification step — such as a code sent to your phone or generated by an authenticator app — in addition to your password) prevents account takeover even if an attacker has your credentials.
- Monitor your email for phishing attempts. Attackers who acquire email addresses from breach data frequently launch targeted phishing campaigns. Be skeptical of emails referencing your Vimeo account, asking you to verify credentials, or prompting urgent action. Vimeo will communicate through its official domains only.
- If you are a Vimeo business customer, review your vendor data-sharing agreements. Understand which third-party analytics or data services have access to your customer data. Request confirmation from those vendors about their security posture, and ensure data minimization principles — sharing only what is strictly necessary for the vendor's function — are applied.
Background: Understanding the Risk
Third-party vendor breaches — sometimes called supply chain compromises at the data layer — are one of the most effective attack vectors for groups like ShinyHunters precisely because they allow a single point of compromise to yield data from multiple downstream targets. A vendor like Anodot, which processes data from many clients simultaneously, represents a highly efficient target: one successful intrusion can expose the data of dozens or hundreds of the vendor's customers.
This attack pattern became prominent in 2020 and 2021 with incidents involving marketing and analytics vendors, and reached a peak in 2024 with the Snowflake-linked campaign that affected over 160 organizations. The Anodot incident follows the same structural logic: the attacker targets the data aggregator, not the end customer.
For organizations that rely on cloud analytics vendors, the incident underscores the importance of:
- Data minimization: Third-party analytics environments should contain only the minimum dataset necessary for the analytics use case. Customer email addresses, for example, can often be replaced with pseudonymous identifiers without losing analytical value.
- Credential hygiene: API credentials issued to vendors should be scoped narrowly, rotated regularly, and revocable quickly. Vimeo's ability to immediately disable Anodot credentials after the incident was confirmed represents a correct response; the goal is to reduce the damage window.
- Continuous vendor monitoring: Organizations should track whether their vendors have experienced security incidents — a step that is often missed in conventional third-party risk assessment programs that rely on annual questionnaires.
The scale of the Vimeo breach — 119,000 users — is significant but not exceptional in absolute terms. The more important signal is the method: an analytics vendor, a cloud data warehouse, and a well-resourced extortion group that knew exactly what to look for. That combination is repeatable, and other organizations with similar vendor architectures should treat this as a prompt for review.
Conclusion
ShinyHunters breached Vimeo by compromising analytics vendor Anodot, exposing over 119,000 email addresses and metadata records. Credentials and payment data were not taken. Vimeo users should check their exposure on Have I Been Pwned, change their passwords, and enable 2FA; business customers should audit their vendor data-sharing arrangements to reduce exposure in the next third-party breach.
For any query contact us at contact@cipherssecurity.com
