Vimeo Confirms Data Breach After ShinyHunters Exploit Third-Party Analytics Vendor Anodot

Summary

Vimeo has confirmed a data breach originating from a compromise of its third-party analytics vendor, Anodot. The cybercrime group ShinyHunters exploited a vulnerability in Anodot’s platform to steal authentication tokens, which they then used to access customer cloud environments including Vimeo’s Snowflake and BigQuery instances.

The accessed data primarily includes technical operational data, video titles, metadata, and some customer email addresses. Vimeo has stated that user video content, login credentials, and payment card information were not compromised. In response, Vimeo has disabled all Anodot credentials, removed the integration, and engaged third-party security experts. ShinyHunters is reportedly attempting to extort Vimeo, threatening to leak the stolen data.

Source

SecurityWeek — Vimeo Confirms User and Customer Data Breach
Vimeo Blog — Anodot Third-Party Security Incident

Commentary

This is yet another entry in ShinyHunters’ 2026 rampage and another textbook example of supply-chain compromise through third-party SaaS integrations. The attack vector — stealing auth tokens from a vendor to pivot into Snowflake and BigQuery — mirrors the broader pattern we saw with the Snowflake-related breaches in 2024, and the recent Vercel/Context.ai incident.

The lesson is becoming a broken record but bears repeating: your security posture is only as strong as your weakest vendor integration. Organizations need to aggressively audit what third-party tools have access to their data warehouses, enforce token rotation policies, and implement anomaly detection on cloud data access patterns. Anodot was acquired by Glassbox in late 2025, which raises questions about whether security practices degraded during the transition.