Vimeo said some customer and user data was accessed without authorization after the recent breach at data anomaly detection company Anodot, with exposed records including email addresses for some customers, technical data, video titles and metadata.
KEY FACTS
- Exposed data Technical data, video titles, metadata and some customer email addresses
- Not affected Video content, account credentials and payment card information
- Impact Vimeo said its operations remained unaffected
- Response The company disabled Anodot credentials and removed the integration
The disclosure said the databases accessed primarily contained technical data, video titles and metadata. It said the exposed information did not include uploaded video content, account credentials or payment card information.
The breach was claimed by ShinyHunters, which said it had data from the company’s Snowflake and BigQuery instances and threatened to publish it by April 30 unless a ransom was paid. The group also warned the platform to expect “several annoying digital problems.”
The Anodot incident involved attackers stealing authentication tokens and using them to access customer environments, mainly Snowflake, and exfiltrate data from multiple organizations. Vimeo said it has disabled all Anodot credentials, removed the service’s integration and notified law enforcement.
The company said it is investigating with third-party security experts and will provide updates if new information emerges. It did not state how much data was taken.
WHY IT MATTERS
The case shows how a breach at one service provider can expose data from downstream customers even when their own systems are not directly compromised. For Vimeo users, the main confirmed risk is the exposure of contact and technical information, not payment data or uploaded videos.