Vercel confirmed a security incident involving unauthorized access to internal systems on April 19, 2026. The company disclosed the breach in a security bulletin, stating it has engaged incident response experts and notified law enforcement. A limited subset of customers were impacted, and Vercel says it's contacting them directly. Industry figure Theo flagged the breach as credible on social media, with early attribution pointing to ShinyHunters. That's the same group behind major breaches at Tokopedia (91 million records), Microsoft (source code via GitHub), and Bonobos (70GB of customer data). They specialize in stealing corporate data rather than deploying ransomware, and their playbook targets third-party services and supply chain components to maximize blast radius. The technical detail that matters: environment variables marked as "sensitive" within Vercel's platform were protected and remain safe. Everything else should be rotated immediately. Vercel recommends all customers review their environment variables and enable the sensitive variable feature. An attacker who compromises a provider like Vercel can harvest secrets from thousands of downstream applications. That's the real risk with centralized hosting platforms, and it's why this breach matters beyond Vercel's immediate customer base. If you're running anything on Vercel, check your secrets now.