Vimeo confirms user data exposed via Anodot breach, ShinyHunters claims credit

Vimeo has disclosed unauthorized access to customer and user data stemming from the breach at analytics vendor Anodot. The exposed information consists primarily of technical data, video titles, and metadata, with email addresses compromised in some cases. Uploaded video content, account credentials, and payment card data were not affected, and platform operations continued normally. Vimeo has revoked all Anodot credentials and severed the integration.

The extortion group ShinyHunters claimed responsibility, listing Vimeo on its leak portal with a April 30 deadline and threatening additional disruptive activity if no ransom is paid. The group asserts it pulled data from Vimeo’s Snowflake and BigQuery environments but has not quantified the haul.

The incident traces back to attackers stealing authentication tokens from Anodot and pivoting into downstream customer environments, predominantly Snowflake instances. Rockstar Games was previously named as a victim, with ShinyHunters claiming exfiltration of over 78 million records there. The Anodot compromise echoes the broader pattern of third-party analytics vendors functioning as a single chokepoint for accessing dozens of high-value tenants.