Video hosting platform Vimeo has confirmed that hackers stole user and customer data through an attack on a third-party vendor. The breach exposed technical data, video titles, metadata, and email addresses of some customers.
The notorious ShinyHunters cybercrime group has claimed responsibility for the attack and is demanding ransom payment by April 30, threatening to leak the stolen files publicly if Vimeo doesn’t comply.
Vimeo says the attackers gained access through Anodot, an analytics platform the company used. The breach did not include actual video content, user login credentials, or payment card information. “Vimeo user and customer login credentials are secure. This incident did not cause any disruption to our systems or service,” the company stated.
The attack highlights growing risks from third-party vendor compromises, which have become a favored attack vector for cybercriminals. When companies integrate with external services, they often inherit security vulnerabilities they can’t directly control. This creates a complex web of dependencies that hackers increasingly exploit.
ShinyHunters claims to have accessed Vimeo’s Snowflake and BigQuery databases through the Anodot compromise. The group has been actively targeting organizations through widely used services like Salesforce instances and other cloud platforms. Their website currently lists three alleged victims through Anodot breaches: Vimeo, Rockstar Games, and fashion retailer Zara.
Following the breach discovery, Vimeo disabled all Anodot credentials and removed the integration with their systems entirely. The company has launched an investigation and notified law enforcement. “We’ve taken steps to secure our environment and continue to monitor the situation closely,” a Vimeo spokesperson said.
This incident adds to ShinyHunters’ recent string of high-profile attacks. The group has previously targeted major companies including:
- Wynn Resorts, affecting 21,000 employees
- Medical device maker Medtronic
- Luxury cosmetics company Rituals
- Web development platform Vercel
The breach comes at a time when businesses are increasingly reliant on third-party services for analytics, customer management, and other core functions. While these integrations offer valuable capabilities, they also expand the attack surface that companies must defend. Security experts recommend that organizations carefully vet vendor security practices and implement monitoring systems to detect unusual access patterns across all integrated services.
For Vimeo’s users, the company advises staying vigilant for phishing attempts that might use the stolen email addresses and video metadata. While login credentials weren’t compromised, users should still consider updating their passwords as a precautionary measure.