Vimeo Data Breach: 119,200 Emails Exposed via Anodot Integration
In May 2026, the ShinyHunters threat group published a 106 GB Vimeo archive stolen via the anomaly detection platform Anodot. The leak exposed approximately 11…
In May 2026, reports surfaced that the threat group ShinyHunters breached Vimeo’s systems in April 2026 by exploiting an integration with the anomaly detection platform Anodot. The intrusion exposed the email addresses and, in some cases, the names of approximately 119,200 users. Following a failed extortion attempt, a 106 GB archive was published on a dark web leak site, prompting the platform to permanently disable the third-party connector. The incident highlights how B2B analytics integrations are increasingly becoming a primary attack vector for mature cloud infrastructures, extending the security perimeter far beyond core systems.
- ShinyHunters gained access to Vimeo’s databases in April 2026 through an Anodot integration, exfiltrating technical metadata, video titles, and personal information.
- Have I Been Pwned confirmed the exposure of roughly 119,200 email addresses and some associated names; Vimeo clarified that valid credentials, video content, and payment data were not compromised.
- Following a failed ransom demand, the attackers leaked a 106 GB archive on their dark web site.
- Vimeo has since removed the Anodot integration and revoked all associated credentials, identifying the third-party vendor as the specific vector of the breach.
Anodot as the Entry Point to Vimeo’s Data Warehouses
The intrusion did not result from a direct assault on Vimeo’s primary servers but rather through the data pipeline connecting the platform to Anodot, a specialist in automated anomaly detection.
ShinyHunters explicitly claimed to have compromised Vimeo's Snowflake and BigQuery instances "thanks to Anodot.com," according to a ransom note reviewed by BleepingComputer.
Vimeo confirmed that the unauthorized access occurred through this specific connection, announcing the immediate deactivation of the integration and the revocation of all related credentials.
This attack vector confirms a growing trend: threat actors are shifting focus from heavily guarded core systems toward less-monitored interconnections where security visibility is often limited.
The precise technical mechanism of the compromise remains unconfirmed; it is currently unclear whether the breach stemmed from exposed tokens, excessive permissions, or a specific vulnerability within Anodot’s software.
Analyzing the 106 GB Archive Published by ShinyHunters
After the extortion attempt failed, the group uploaded an archive totaling approximately 106 GB to the dark web.
An independent analysis by Have I Been Pwned confirmed that the leak contains approximately 119,200 email addresses, with some entries including user names.
Vimeo specified that the affected databases primarily contained technical metadata and video titles, rather than active authentication credentials, multimedia content, or financial information.
The 106 GB file size suggests the dump may include log tables and telemetry data—typical for an anomaly detection platform that requires high-volume access to structured information flows.
The nature of the leak is therefore hybrid: it contains both personally identifiable information (PII) and internal configuration data regarding the platform’s hosted content.
Vimeo Excludes Passwords, Videos, and Payment Data from Breach Scope
In its official communication, Vimeo drew a clear distinction regarding the data that was not compromised.
The platform clarified that the breach did not include video content, valid authentication credentials, or payment data, assuring users that their passwords remain secure.
This distinction is critical as it reduces the immediate risk of direct account takeovers. However, the exposure of 119,200 email addresses still leaves victims vulnerable to targeted phishing campaigns and potential credential stuffing on other services.
Even without compromised credentials, users are advised to remain vigilant; email addresses often serve as the primary key for cross-platform credential stuffing attacks if the same login is reused elsewhere.
“Your Snowflake and Bigquery instances data was compromised thanks to Anodot.com” — ShinyHunters
Response Strategies: Credential Audits and Exposure Verification
Vimeo account holders should immediately use Have I Been Pwned to check if their email address was included in the dump and enable two-factor authentication on all sensitive accounts.
Enterprise security teams utilizing Vimeo or similar platforms should rotate API keys and tokens shared with analytics and anomaly detection vendors without delay.
It is equally urgent to map all B2B SaaS connections to internal data warehouses, restricting permissions to the minimum necessary datasets and implementing monitoring for anomalous queries.
Finally, administrators should ensure third-party contracts include transparency clauses regarding permissions, verifying that no external integration can access production databases unless strictly required for operation.
The Expanding Attack Surface Beyond Core Systems
This incident demonstrates that mature cloud platforms are no longer necessarily forced through the front door, but via the "side doors" left open for SaaS partners and sub-processors.
This evolution places analytics, billing, and monitoring vendors in the same risk category as critical infrastructure providers, with implications that remain under-regulated in many third-party risk management programs.
While the Anodot integration was functional for data monitoring, it created a bridge between an external ecosystem and Vimeo's Snowflake and BigQuery warehouses.
When an anomaly detection firm itself becomes the anomaly, traditional perimeter-based security reaches its limit. B2B integration governance must now be treated with the same priority as server hardening, as every connector represents a potential corridor for data exfiltration.
Vimeo was not breached through an internal code error or direct social engineering, but through a vendor pipeline. This shifts the debate from the robustness of a single application to the governance of the entire SaaS ecosystem, where the security perimeter is only as strong as the connected chain of trust.
Frequently Asked Questions
Were Snowflake and BigQuery breached directly or via Anodot?
According to ShinyHunters, the Snowflake and BigQuery instances were compromised "thanks to Anodot.com," indicating indirect access via the integration rather than a direct exploit of the data warehouses themselves.
Has a specific vulnerability been identified in Anodot?
No technical details confirming a zero-day or specific CVE in Anodot’s software have been released. The exact mechanism of the compromise—whether through exposed credentials or misconfiguration—remains undetermined.
Why did ShinyHunters leak the 106 GB archive?
The group attempted an extortion operation that did not result in a ransom payment. Consequently, they followed their standard protocol and published the dump on their dark web leak site.
Information has been verified against cited sources and is current as of the date of publication.