Vimeo Data Exposed in Supply-Chain Attack on Vendor Anodot; ShinyHunters Implicated

Executive Summary

Video hosting platform Vimeo has disclosed a security incident where user and customer data was exposed due to a supply chain attack targeting its third-party analytics vendor, Anodot. Attackers compromised Anodot and stole authentication tokens, which they then used to gain unauthorized access to the cloud data environments of Anodot's customers, including Vimeo's Snowflake and BigQuery instances. The notorious extortion group ShinyHunters has claimed responsibility, listing Vimeo on its leak site. Exposed data includes video metadata and some customer emails, but not video content or payment details. Vimeo has since disabled the Anodot integration and all associated credentials.

Threat Overview

This incident is a classic supply chain attack where a less-secure third-party vendor becomes the entry point into a more secure primary target.

Victim: Vimeo
Attack Vector: Compromise of third-party vendor, Anodot.
Method: Attackers stole authentication tokens from Anodot, which granted access to customer data warehouses.
Threat Actor: ShinyHunters claimed the attack.
Exposed Data:
- Technical information
- Video titles and metadata
- Some customer email addresses
Data Not Exposed: Uploaded video content, user credentials, payment card information.

ShinyHunters listed Vimeo on its data leak site and claimed to have data from the company's Snowflake and BigQuery instances. This campaign was not isolated to Vimeo; gaming giant Rockstar Games was also identified as a victim of the same Anodot compromise, highlighting the widespread impact of a single vendor breach.

Technical Analysis

The core of this attack was the theft and misuse of authentication tokens. By compromising the central analytics platform (Anodot), the attackers gained a powerful pivot point. Anodot, by design, would have had persistent, trusted access tokens to its customers' data warehouses (like Snowflake and BigQuery) in order to perform its analytics functions.

Once the attackers stole these tokens from Anodot, they could directly query the customers' data warehouses, bypassing the primary target's direct perimeter defenses. This is a highly effective technique because the access requests made with the stolen tokens would appear to originate from a legitimate, trusted third-party service.

MITRE ATT&CK Techniques

T1528 - Steal Application Access Token: The central technique of the attack, where tokens were stolen from the vendor, Anodot.
T1625 - Steal or Forge Cloud Credentials: A broader classification of the token theft, specifically targeting cloud service access.
T1530 - Data from Cloud Storage Object: Attackers used the stolen tokens to directly access and exfiltrate data from Vimeo's Snowflake and BigQuery cloud data warehouses.
T1199 - Trusted Relationship: The attackers exploited the trusted relationship between Vimeo and its vendor, Anodot, to gain access.

Impact Assessment

For Vimeo, the impact is primarily reputational. While the company emphasizes that the most sensitive data was not exposed, any unauthorized access to user data erodes trust. The incident also incurs costs for incident response, forensic investigation, and legal review.

This attack serves as a powerful case study on the systemic risk posed by supply chain vulnerabilities. The compromise of a single vendor, Anodot, had a cascading effect on multiple high-profile customers. It forces organizations to re-evaluate their third-party risk management programs and the level of trust and access granted to vendors.

IOCs — Directly from Articles

No specific Indicators of Compromise were mentioned in the source articles.

Cyber Observables — Hunting Hints

Organizations can hunt for signs of similar third-party token compromise:

Type

log_source

Value

Snowflake/BigQuery Audit Logs

Description

Monitor for queries originating from vendor service accounts that are unusual in volume, frequency, or target tables.

Type

cloud_observable

Value

Access from non-standard IP ranges

Description

Look for API calls from a vendor's service account originating from IP addresses outside of the vendor's known ASN or IP range.

Type

user_agent

Value

Unusual User-Agent strings

Description

An attacker using a stolen token with a script may use a different User-Agent than the legitimate vendor application.

Detection & Response

Vimeo's response was appropriate:

Disable Credentials: Immediately revoking all credentials and tokens associated with the compromised vendor (Anodot) is the critical first step to stop the bleeding.
Remove Integration: Disconnecting the service entirely ensures no further access is possible.
Investigate and Notify: Launching a forensic investigation and notifying customers and law enforcement are key components of responsible disclosure.

For detection, organizations should focus on D3-CUA - Cloud User Activity Analysis, specifically monitoring the behavior of third-party service accounts for anomalies.

Mitigation

Third-Party Risk Management (TPRM): Conduct rigorous security assessments of all vendors, especially those with access to sensitive data or systems.
Least Privilege for Vendors: Grant vendors the absolute minimum level of access required for their function. Use read-only roles where possible and scope access to specific datasets, not the entire warehouse.
Token and Key Rotation: Enforce regular rotation of all API keys and tokens used by third-party services.
IP-Based Access Controls: Where possible, restrict access for vendor service accounts to a known, allow-listed set of IP addresses belonging to the vendor.
Contractual Obligations: Ensure vendor contracts include strong security requirements, liability clauses, and mandatory breach notification timelines.

Vimeo Confirms User Data Exposure Following Breach at Third-Party Analytics Vendor Anodot