Rankiteo Logo
Rankiteo
Leader in Cyber Underwriting
Loading...
NEWRankiteo Cyber Underwriting Desktop - Score, price, and bind from your desktop
WindowsmacOSLinux
Download
Vercel

Vercel Vendor Cyber Rating & Cyber Score

vercel.com

Vercel provides the developer tools and cloud infrastructure to build, scale, and secure a faster, more personalized web. Customers like Under Armour, Nintendo, The Washington Post, and Zapier use Vercel to build dynamic user experiences on the web.


Vercel A.I CyberSecurity Scoring

Vercel
Company Information
Website:https://vercel.com
Employees number:873
Number of followers:200,744
NAICS:5112
Industry Type:Software Development
Homepage:vercel.com
Vercel Risk Score (AI oriented)
Between 0 and 549
logo
VercelSoftware Development
Updated:
17/06/2026
437/1000
Critical
C
AaaAaABaaBaBCaaCaC
Powered by our proprietary A.I cyber incident model
Insurance prefers TPRM score to calculate premium
Vercel Global Score (TPRM)
xxxx
logo
VercelSoftware Development
•••
Score locked
Instant access to detailed risk factors
Vulnerabilities
Benchmark vs. industry & size peers
Findings

Vercel
VercelCritical
Current Score
437C (CRITICAL)
01000
8 incidents
-57.83 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
442Before Incident
JUNE 2026
439Before Incident
MAY 2026
457Before Incident
Cyber Attack
01 May 2026Vercel
Google, Vercel, Netlify, Canva and Adobe: 30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign

Vietnamese-Linked Phishing Operation Hijacks 30,000 Facebook Accounts via Google AppSheet

432After Incident
LOW-25
CANADOGOONETVER1777660893
Vietnamese-Linked Phishing Operation Hijacks 30,000 Facebook Accounts via Google AppSheet A newly uncovered cybercriminal operation, dubbed AccountDumpling by Guardio Labs, has exploited Google AppSheet as a phishing relay to compromise approximately 30,000 Facebook accounts. The campaign, attributed to Vietnamese threat actors, targets business account owners with deceptive emails impersonating Meta Support, warning of imminent account deletion unless users submit an appeal. The attack begins with phishing emails sent from a Google AppSheet address ([email protected]), bypassing spam filters by leveraging the platform’s legitimacy. Victims are directed to fake Meta-branded pages hosted on Netlify, Vercel, or disguised as Google Drive PDFs where they are tricked into entering credentials, two-factor authentication (2FA) codes, government ID photos, and other sensitive data. Stolen information is exfiltrated to attacker-controlled Telegram channels, which collectively hold records from victims across the U.S., Italy, Canada, the Philippines, and other countries. The operation employs multiple lures, including: - Fake Meta appeals (e.g., account disablement, copyright complaints, or verification reviews). - Blue badge evaluation scams, using bogus CAPTCHA checks to harvest credentials. - Google Drive-hosted PDFs (created via Canva) that mimic verification instructions. - Fake job offers impersonating companies like Meta, WhatsApp, and Adobe to build trust before redirecting victims to malicious sites. Metadata from the Canva-generated PDFs led researchers to a Vietnamese individual, PHẠM TÀI TÂN, whose website (phamtaitan[.]vn) advertises digital marketing services. Open-source intelligence suggests the operation is part of a broader underground economy where stolen Facebook accounts along with associated ad reputations and recovery access are monetized through illicit storefronts. The campaign reflects a growing trend of Vietnamese threat actors repurposing trusted platforms (e.g., Google AppSheet, Netlify, Vercel) to scale phishing attacks, highlighting the commodification of compromised social media assets in cybercrime markets.
INCIDENT DETAILS -
TYPE
Phishing
MOTIVATION
Financial gain (monetization of stolen Facebook accounts, ad reputations, and recovery access)
IMPACT
Data Compromised: Facebook account credentials, 2FA codes, government ID photos, personally identifiable information (PII)Systems Affected: Facebook accounts (business and personal)Operational Impact: Loss of access to Facebook accounts, potential misuse of accounts for further scams or ad fraudBrand Reputation Impact: Potential reputational damage to Meta (Facebook) due to impersonation and account hijackingIdentity Theft Risk: High (government ID photos and PII exposed)
DATA BREACH
Credentials2FA codesGovernment ID photosPersonally identifiable information (PII)Number Of Records Exposed: 30,000 accountsSensitivity Of Data: High (PII, government IDs, authentication data)Data Exfiltration: Yes (stolen data sent to attacker-controlled Telegram channels)PDFs (fake verification instructions)Personally Identifiable Information: Yes (government ID photos, account details)
APRIL 2026
544Before Incident
Breach
24 Apr 2026Vercel
Udemy, McGraw-Hill, Vercel and Harvard University: Udemy Data Breach – ShinyHunters Allegedly Claims Compromise of 1.4M User Records

ShinyHunters Claims Major Data Breach of Udemy, Threatens to Leak 1.4M Records

456After Incident
CRITICAL-88
MCGVERHARUDE1777034314
ShinyHunters Claims Major Data Breach of Udemy, Threatens to Leak 1.4M Records On April 24, 2026, the cybercriminal group ShinyHunters announced a data breach targeting Udemy, one of the world’s largest online learning platforms, alleging the theft of over 1.4 million records containing personally identifiable information (PII) and internal corporate data. The group issued a "Pay or Leak" ultimatum, demanding a response from Udemy by April 27, 2026, or risk public exposure of the stolen data. ShinyHunters, a financially motivated extortion group active since 2019, has built a reputation for high-profile breaches, including the 2020 theft of 200 million records from 13 companies. In 2026 alone, the group has intensified attacks on SaaS platforms and the education sector, with recent victims including Vercel, McGraw-Hill, and Harvard University (where 115,000 alumni records were exposed). Google Threat Intelligence tracks the group under the designation UNC6240, noting its shift from traditional network exploitation to social engineering, MFA bypass, and credential harvesting. ShinyHunters often exploits third-party integrations and compromised vendor credentials, as seen in the Vercel breach, where a third-party vendor (Context.ai) served as the entry point. The education sector remains a prime target, with ShinyHunters previously breaching India’s Unacademy, stealing over 10 million user accounts. As of publication, Udemy has not confirmed or denied the breach, and researchers continue monitoring the group’s leak site for potential data release following the deadline. The incident underscores the group’s evolving tactics and persistent focus on high-value targets.
INCIDENT DETAILS -
TYPE
Data Breach
MOTIVATION
Financial Extortion
IMPACT
Data Compromised: 1.4 million recordsIdentity Theft Risk: High
DATA BREACH
Personally Identifiable Information (PII)Internal Corporate DataNumber Of Records Exposed: 1.4 millionSensitivity Of Data: High
APRIL 2026
606Before Incident
Breach
20 Apr 2026Vercel
Vercel and Context.ai: Third-party AI hack triggers Vercel breach, internal environments accessed

Vercel Breach Traced to Compromised Third-Party AI Tool

544After Incident
CRITICAL-62
THEVER1776690400
Vercel Breach Traced to Compromised Third-Party AI Tool On April 20, 2026, cloud platform provider Vercel disclosed a security breach stemming from the compromise of a third-party AI tool, Context.ai. The incident allowed attackers to hijack an employee’s Google Workspace account, granting access to limited internal systems and non-sensitive environment variables. While sensitive data such as credentials marked as "sensitive" remained protected, the breach exposed some customer-related information. Vercel, known for its serverless deployment solutions and support for frameworks like Next.js, confirmed the attacker demonstrated advanced technical skills, moving swiftly through its infrastructure. The company is collaborating with cybersecurity firm Mandiant and law enforcement to investigate the scope of the breach and has partnered with Context.ai to assess the fallout. The attack originated from a compromised OAuth app linked to Google Workspace, with Vercel identifying the suspicious app ID as 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com. The incident highlights risks associated with third-party integrations, particularly in AI-driven tools, and underscores the need for heightened scrutiny of OAuth permissions in enterprise environments.
INCIDENT DETAILS -
TYPE
Data Breach
IMPACT
Data Compromised: Non-sensitive environment variables, some customer-related informationSystems Affected: Limited internal systems
DATA BREACH
Type Of Data Compromised: Non-sensitive environment variables, customer-related informationSensitivity Of Data: Non-sensitive (sensitive credentials were protected)
APRIL 2026
677Before Incident
Breach
19 Apr 2026Vercel
Vercel: Vercel confirms breach as hackers claim to be selling stolen data

Vercel Security Breach Amid Hacker Extortion Claims

544After Incident
CRITICAL-133
VER1776623025
Vercel Discloses Security Breach Amid Hacker Extortion Claims Vercel, a leading cloud development platform specializing in JavaScript frameworks like Next.js, has confirmed a security incident involving unauthorized access to its internal systems. The breach, disclosed in a security bulletin today, affects a limited subset of customers, though the company states its services remain operational. Vercel is actively investigating the incident with the help of external incident response experts and has notified law enforcement. While no service disruptions have been reported, the company is advising impacted customers to review environment variables, utilize its sensitive variable feature, and rotate secrets if necessary. The disclosure follows claims by a threat actor purporting to be part of the ShinyHunters hacking group who posted on a hacking forum offering stolen Vercel data for sale. The attacker alleged possession of access keys, source code, database records, and internal deployment credentials, including NPM and GitHub tokens. A sample shared as proof contained 580 employee records with names, Vercel email addresses, account statuses, and activity timestamps, alongside a screenshot of an internal enterprise dashboard. Notably, established members of the ShinyHunters extortion gang have denied involvement in the attack. The threat actor also claimed to have demanded a $2 million ransom from Vercel, though the company has not confirmed whether negotiations are underway. BleepingComputer has not independently verified the authenticity of the leaked data. Vercel continues to assess the scope of the breach and has not disclosed whether sensitive customer data or credentials were exposed. Further updates are expected as the investigation progresses.
INCIDENT DETAILS -
TYPE
Data Breach
MOTIVATION
Extortion
IMPACT
Data Compromised: Access keys, source code, database records, internal deployment credentials (NPM and GitHub tokens), employee records (names, Vercel email addresses, account statuses, activity timestamps)Systems Affected: Internal systemsOperational Impact: Limited subset of customers affected; services remain operational
DATA BREACH
Access keysSource codeDatabase recordsInternal deployment credentialsEmployee recordsNumber Of Records Exposed: 580 employee recordsSensitivity Of Data: High (NPM and GitHub tokens, internal enterprise dashboard access)Personally Identifiable Information: Names, Vercel email addresses, account statuses, activity timestamps
APRIL 2026
696Before Incident
Cyber Attack
03 Apr 2026Vercel
GitHub, Next.js, Stripe and AWS: Hackers Compromised 700+ Next.js Hosts by Exploiting React2Shell Vulnerability

Massive Credential Theft Campaign Exploits React2Shell Flaw in Next.js Applications

676After Incident
CRITICAL-20
AMAVERGITSTR1775204764
Massive Credential Theft Campaign Exploits React2Shell Flaw in Next.js Applications Cybersecurity researchers at Cisco Talos have uncovered a large-scale automated credential theft campaign orchestrated by the hacker group UAT-10608, which has compromised over 700 servers worldwide. The attackers are exploiting CVE-2025-55182 (React2Shell), a critical remote code execution (RCE) vulnerability in React Server Components used by Next.js applications. The flaw allows attackers to send maliciously crafted web requests to vulnerable servers, executing arbitrary commands without requiring authentication or user interaction. Once exploited, the attack deploys a malicious script that silently extracts sensitive data, including database credentials, SSH keys, AWS cloud tokens, Stripe payment keys, and GitHub access tokens. To manage the stolen data, the threat actors use a custom web dashboard called the "NEXUS Listener", which recorded 766 compromised hosts in just 24 hours. The impact is severe: - Over 90% of affected servers had database credentials stolen. - Nearly 80% lost private SSH keys, enabling lateral movement across networks. - Stolen cloud credentials could allow attackers to hijack entire cloud environments. - Compromised GitHub tokens risk malicious code injections into software updates. The campaign highlights the urgent need for organizations using Next.js to patch the React2Shell vulnerability and rotate exposed credentials. The stolen data provides attackers with persistent access to critical systems, posing long-term security risks.
INCIDENT DETAILS -
TYPE
Credential Theft
IMPACT
Data Compromised: Database credentials, SSH keys, AWS cloud tokens, Stripe payment keys, GitHub access tokensSystems Affected: Over 700 servers worldwideOperational Impact: Persistent access to critical systems, risk of lateral movement, cloud environment hijacking, malicious code injectionsPayment Information Risk: Stripe payment keys compromised
DATA BREACH
Type Of Data Compromised: Credentials, SSH keys, cloud tokens, payment keys, access tokensSensitivity Of Data: HighData Exfiltration: Yes
MARCH 2026
696Before Incident
FEBRUARY 2026
712Before Incident
Cyber Attack
02 Feb 2026Vercel
Dropbox and Vercel: Phishing Scam Uses Clean Emails and PDFs to Steal Dropbox Logins

New Phishing Scam Exploits Trusted PDFs and Cloud Services to Steal Credentials

693After Incident
CRITICAL-19
DROVER1770065567
New Phishing Scam Exploits Trusted PDFs and Cloud Services to Steal Credentials Cybersecurity researchers at Forcepoint have uncovered a sophisticated phishing campaign that bypasses traditional email filters by leveraging clean-looking business emails and multi-stage deception. The attack begins with a seemingly legitimate message often referencing a "tender" or "procurement" deal containing a harmless PDF attachment. Unlike typical phishing attempts, the email itself contains no malicious links, relying instead on the PDF to initiate the scam. The PDFs exploit technical features like AcroForms and FlateDecode to embed hidden clickable buttons, tricking users into interacting with what appears to be a standard document. Once clicked, the victim is redirected to a second file hosted on Vercel Blob storage, a legitimate cloud service that helps the attackers evade security blocks. This file then directs users to a fake Dropbox login page, meticulously designed to mimic the real platform. Behind the scenes, a script harvests email credentials, passwords, IP addresses, device types, and geolocation data, transmitting the stolen information to a private Telegram channel controlled by the attackers. To avoid suspicion, the fake login page displays an error message, making victims believe they simply mistyped their password. Forcepoint has since updated its defenses to detect and block these files, but the campaign highlights how attackers are increasingly abusing trusted formats and cloud infrastructure to bypass security measures. The incident underscores the risks of assuming routine business documents are safe without verifying their origin.
INCIDENT DETAILS -
TYPE
Phishing
MOTIVATION
Credential theft, data exfiltration
IMPACT
Data Compromised: Email credentials, passwords, IP addresses, device types, geolocation dataIdentity Theft Risk: High
DATA BREACH
Email credentialsPasswordsIP addressesDevice typesGeolocation dataSensitivity Of Data: High (personally identifiable information, authentication credentials)Data Exfiltration: Yes (transmitted to private Telegram channel)File Types Exposed: PDF (malicious)Personally Identifiable Information: Yes (email credentials, geolocation data, device types)
JANUARY 2026
712Before Incident
DECEMBER 2025
711Before Incident
NOVEMBER 2025
710Before Incident
OCTOBER 2025
709Before Incident
SEPTEMBER 2025
708Before Incident
AUGUST 2025
707Before Incident
MAY 2025
707Before Incident
Vulnerability
01 May 2025Vercel
Next.js, D-Link, Apache and Netgear: Cyberattack Trends & Variations: What Our Honeypots Reveal

Honeypot Data Reveals Persistent Cyber Threats: A Year in Exploit Trends (2025–2026)

702After Incident
CRITICAL-5
NETVERDLITHE1780583187
Honeypot Data Reveals Persistent Cyber Threats: A Year in Exploit Trends (2025–2026) Between May 2025 and May 2026, a global network of honeypots recorded over 9.2 million security events originating from 54,000 unique IP addresses across 163 countries, offering a snapshot of evolving cyber threats. The data, collected from strategically deployed decoy systems, highlights sustained attacker interest in vulnerable services, with SSH (75% of events) dominating activity reinforcing the risks of exposing the protocol directly to the internet. Web applications (10%) and SMTP services (10%) followed, while attacks on medical protocols remained negligible. ### Top Exploited Vulnerabilities Nine vulnerabilities stood out for their high exploitation rates, with React2Shell (CVE-2025-55182) a critical flaw in Next.js servers leading the pack. Disclosed in December 2025, it triggered a surge in attacks, with six IP addresses accounting for 90% of December’s activity. Other notable targets included: - ProxyLogon/ProxyShell/ProxyNotShell (Microsoft Exchange): Persistent exploitation since 2021, leveraging unpatched servers for SYSTEM-level access. - Shellshock (CVE-2014-6271): A decade-old Bash vulnerability still actively probed for initial access. - ThinkPHP (CVE-2018-25270): Sustained attacks on the Chinese PHP framework post-2026 disclosure. - Log4Shell (CVE-2021-44228): Declining but still targeted, reflecting its historical impact. - Legacy Router Flaws: D-Link Dir-645 (CVE-2015-2051) and Netgear DGN1000/DGN2000 (CVE-2024-12847) saw renewed activity, tied to campaigns like Rondodox. - CrushFTP (CVE-2025-54309): A single, concentrated attack on October 13, 2025, exploiting a race-condition flaw. ### Key Observations - Web applications faced relentless attacks, with CVEs like React2Shell and ProxyShell driving spikes. - Routers and IoT devices remained prime targets, often via decade-old vulnerabilities. - Exploit timelines varied: Some flaws (e.g., CrushFTP) saw brief, intense campaigns, while others (e.g., Shellshock) endured as persistent threats. - Attacker behavior aligned globally, with honeypot operators reporting similar patterns. The data underscores the longevity of high-impact vulnerabilities and the risks of unpatched systems, even years after disclosure. Honeypots continue to serve as critical tools for detecting emerging threats and attacker methodologies.
INCIDENT DETAILS -
TYPE
Exploit TrendsVulnerability Exploitation
IMPACT
Systems Affected: Decoy honeypot systems
JANUARY 2025
762Before Incident
Breach
01 Jan 2025Vercel
Vercel: App Host Vercel Was Hacked Through a Third-Party AI Tool

Vercel Breach Exposes Customer Credentials via Third-Party AI Tool

702After Incident
CRITICAL-60
VER1776772360
Vercel Breach Exposes Customer Credentials via Third-Party AI Tool Cloud hosting platform Vercel recently disclosed a security breach stemming from a compromised third-party AI tool. The incident, which occurred after an employee connected a Google Workspace OAuth app developed by Context AI to their corporate account, allowed threat actors to access internal systems. Vercel confirmed that a "limited subset of customers" had credentials exposed, though the company stated that those not contacted were unaffected. The breach did not impact Vercel’s popular open-source projects, including Next.js and Turbopack, but the hacker claiming responsibility under the alias "ShinyHunters" allegedly gained access to employee accounts, API keys (including NPM and GitHub tokens), and source code. The stolen data is reportedly being sold on hacking forums. The attack highlights the growing risk of supply chain compromises targeting developer tools and third-party integrations. Vercel has since implemented additional security measures and monitoring to mitigate further exposure. While the company has not verified all of the hacker’s claims, the incident underscores the increasing sophistication of attacks leveraging OAuth-based applications.
INCIDENT DETAILS -
TYPE
Data Breach
MOTIVATION
Financial gain (data sold on hacking forums)
IMPACT
Data Compromised: Customer credentials, employee accounts, API keys (NPM, GitHub tokens), source codeSystems Affected: Internal systems, third-party OAuth appBrand Reputation Impact: Potential reputational damage due to breach disclosureIdentity Theft Risk: High (exposed credentials and PII)
DATA BREACH
Customer credentialsEmployee accountsAPI keysSource codeSensitivity Of Data: High (API keys, source code, credentials)Data Exfiltration: Yes (data reportedly sold on hacking forums)Personally Identifiable Information: Customer credentials

Frequently Asked Questions

?
What is the current A.I Rankiteo Cyber Score for Vercel ?
?
What was Vercel's A.I Rankiteo Cyber Score in June 2026 ?
?
What was Vercel's A.I Rankiteo Cyber Score in May 2026 ?
?
What was Vercel's A.I Rankiteo Cyber Score in April 2026 ?
?
What was Vercel's A.I Rankiteo Cyber Score in March 2026 ?
?
What was Vercel's A.I Rankiteo Cyber Score in February 2026 ?
?
What was Vercel's A.I Rankiteo Cyber Score in January 2026 ?
?
What was Vercel's A.I Rankiteo Cyber Score in December 2025 ?
?
What was Vercel's A.I Rankiteo Cyber Score in November 2025 ?
?
What was Vercel's A.I Rankiteo Cyber Score in October 2025 ?
?
What was Vercel's A.I Rankiteo Cyber Score in September 2025 ?
?
What was Vercel's A.I Rankiteo Cyber Score in August 2025 ?
?
What is the average per-incident point impact on Vercel's A.I Rankiteo Cyber Score over the past 12 months ?
?
Where can I access detailed records of all cyber incidents associated with Vercel ?
?
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ?
?
Where can I view Vercel's profile page on Rankiteo ?
?
How accurate is the A.I Rankiteo Risk Scoring methodology ?
Vercel Cyber Scoring History | Rankiteo