Vercel disclosed a security incident on April 19, 2026, confirming that an attacker gained unauthorized access to internal systems. ShinyHunters has claimed responsibility, according to reports circulating on Hacker News. Vercel says a small number of customers were affected and is contacting them directly. Services remain operational. Platform-as-a-Service providers all share a common design. They store environment variables in centralized repositories so they can inject secrets into application containers at runtime. API keys, database credentials, and other sensitive data sit in plaintext or reversibly encrypted form inside their infrastructure. It's a goldmine for attackers. Vercel's "sensitive environment variable" feature apparently uses end-to-end encryption or hardware security modules that kept those secrets safe. Standard environment variables didn't get that protection. Vercel representative Theo confirmed on Twitter that variables marked as sensitive stayed secure. He advised rotating anything not marked as sensitive, and he's right that this is an industry-wide problem. Any hosting provider with comparable architecture is vulnerable. Vercel has engaged incident response experts and notified law enforcement. The company recommends all customers review their environment variables and enable the sensitive environment variable feature. If you're running anything on Vercel, rotate your secrets now.
Vercel breached by ShinyHunters, rotate your secrets
Vercel confirmed an April 19 security breach attributed to hacker group ShinyHunters, which accessed internal systems and potentially exposed environment variables. The company is contacting affected customers and working with law enforcement. Sensitive environment variables remained encrypted and safe, but standard variables may be compromised. Anyone running on Vercel should rotate their secrets immediately.
