Vimeo data breach via Anodot third-party SaaS compromise — 119,200 accounts

incident · incident:vimeo-anodot-2026

Coverage timeline

first 2026-05-07 → last 2026-05-10

Briefs

2 distinct

Sources cited

12 hosts

Sections touched

incidents, weekly_summary

Co-occurring entities

see Related entities below

2026-05-072 appearances2026-05-10

Story timeline

2026-05-10CTI Weekly Summary — 2026-W19 (May 04 – May 10, 2026)
weekly_summaryConsolidated in weekly summary for week 2026-W19
2026-05-07CTI Daily Brief — 2026-05-07
incidentsFirst coverage. Anodot credentials compromised; used to access Vimeo Snowflake/BigQuery environments; 119,200 email addresses and metadata exposed; ShinyHunters claimed; victim confirmed; published data after ransom declined.

Where this entity is cited

incidents1
weekly_summary1

Source distribution

bleepingcomputer.com3 (20%)
securityaffairs.com2 (13%)
maine.gov1 (7%)
newsroom.adt.com1 (7%)
securityweek.com1 (7%)
vimeo.com1 (7%)
cyberinsider.com1 (7%)
nltimes.nl1 (7%)
other4 (27%)

Related entities

Instructure (Canvas LMS) data breach — student and educator data
incidentincident:instructure-canvas-2026×2
ShinyHunters lists Charter Communications (Spectrum), claims 42M records; Charter denies sensitive PI/CPNI exfil
incidentitem:shinyhunters-charter-spectrum-listing-42m-claim×2
ShinyHunters Oracle PeopleSoft data-theft campaign (100+ orgs, ~300 instances, education-heavy; Univ. of Nottingham confirmed)
campaigncampaign:shinyhunters-peoplesoft-2026×2
ShinyHunters — financially motivated data-theft group
actoractor:ShinyHunters×2
7-Eleven confirms ShinyHunters breach of 600K+ Salesforce franchise-application records (campaign same as Instructure / Vimeo / Wynn / Vercel / Medtronic)
incidentitem:7-eleven-confirms-shinyhunters-salesforce-breach-600k-recor×1
BKA + ZIT dismantle relaunched Crimenetwork darknet marketplace; German operator arrested in Mallorca on European Arrest Warrant (2026-05-08)
incidentincident:bka-crimenetwork-takedown-2026×1
Breach at billing processor Unimed exfiltrates ~97,600+ patient records from six German university hospitals (attribution open)
incidentincident:unimed-german-hospitals-2026×1
ESET APT Activity Report Q4 2025–Q1 2026
annual-reportitem:eset-apt-activity-report-q4-2025-q1-2026-sandworm-lazarus×1

All cited sources (15)

Items in briefs about Vimeo data breach via Anodot third-party SaaS compromise — 119,200 accounts (2)

7-Eleven confirms ShinyHunters breach of 600,000+ Salesforce franchise-application records — same campaign as Instructure, Vimeo, Wynn Resorts, Vercel, Medtronic

From CTI Daily Brief — 2026-05-19 · published 2026-05-19 · view item permalink →

7-Eleven, Inc. confirmed on 2026-05-18 that an unauthorised third party accessed systems storing franchisee documents on 2026-04-08, in a breach claimed by ShinyHunters on or around 2026-04-17 (SecurityWeek, 2026-05-18; Security Affairs, 2026-05-18). ShinyHunters listed over 600,000 Salesforce CRM records covering personal and corporate data from franchise applications, initially demanding a ransom with a 2026-04-21 deadline and then offering the data for sale at $250,000 on a hacker forum. 7-Eleven filed a Maine Attorney General notification dated 2026-05-01 confirming 24 months of IDX identity-theft protection for affected individuals (Maine AG breach notification, 2026-05-01). The Maine filing lists only 2 Maine residents but the ShinyHunters claim covers 600,000+ records globally. SecurityWeek attributes the broader campaign — Instructure (Canvas), Vimeo, Wynn Resorts (21,000 employees), Vercel and Medtronic among confirmed co-victims — not to Salesforce-product vulnerabilities but to phishing, third-party-integration abuse, and customer-side misconfiguration of Salesforce Connected Apps.

Why it matters to us: ShinyHunters is the same actor that hit Instructure last week, with the broader Salesforce-targeting campaign continuing across sectors. The campaign vector is identity-side rather than Salesforce-product-side — Connected App OAuth grant abuse, phishing of admin sessions, mis-scoped third-party SaaS integrations. EU/CH public-sector and finance tenants using Salesforce for partner / supplier / case-management data should audit Connected App OAuth grants (particularly to third-party AI SaaS integrations), enable Salesforce Event Monitoring with alerts on bulk Report Export events and high-volume SOQL API calls, enforce IP-range / Trusted-IP session policies, and consider Salesforce Shield field-level encryption for PII. T1078.004 (Cloud Accounts), T1530 (Data from Cloud Storage Object), T1567.002 (Exfiltration to Cloud Storage).

ShinyHunters / WorldLeaks — week-long cross-incident operator activity touching Inditex, Vimeo, ADT, and Instructure / Canvas

From CTI Weekly Summary — 2026-W19 (May 04 – May 10, 2026) · published 2026-05-11 · view item permalink →

The cross-day pattern most visible in 2026-W19 is the ShinyHunters / WorldLeaks operator family's role in four parallel third-party / SaaS-tier compromises with European footprint, all riding the third-party-analytics → cloud-data-warehouse → tenant-data-exfiltration pivot rather than direct attack on the victim's infrastructure. The sequence: Vimeo / Anodot (first covered 2026-05-07) — Vimeo's official statement confirmed customer email addresses were affected via a third-party security incident involving Anodot, an analytics vendor integrated with Vimeo's infrastructure; the Snowflake-and-BigQuery cloud-data-warehouse pivot is attributed to ShinyHunters' extortion claim per BleepingComputer (not Vimeo's own confirmation); BleepingComputer reports approximately 119,000 email addresses exposed; ShinyHunters published the dataset after Vimeo declined extortion (Vimeo official blog, 2026-04-27 · BleepingComputer, 2026-05-06 · The Register, 2026-05-05). Inditex (Zara) (first covered 2026-05-09) — Have I Been Pwned confirmed 197,400 EU customer email addresses exposed via the same Anodot → BigQuery pivot; Inditex confirmed access to email, geographic location, order IDs, support ticket content; ShinyHunters dumped ~140 GB after Inditex declined (SecurityAffairs, 2026-05-08 · BleepingComputer, 2026-05-08 · daily 2026-05-09). ADT Inc. (first covered 2026-05-06) — SEC 8-K filed 2026-04-24 disclosed unauthorised access to certain cloud environments; ShinyHunters claimed the initial-access vector was vishing on an employee Okta SSO account followed by Salesforce data exfiltration (ADT did not confirm the vector) (ADT Newsroom, 2026-04-24 · daily 2026-05-06). Instructure / Canvas (first covered 2026-05-06; expanded each subsequent day — see separate H3 below).

The lesson under PD-11 (less is more) for Swiss / EU public-sector readers: third-party analytics, monitoring, evaluation, and observability integrations holding OAuth or service-account access to production data warehouses (Snowflake, BigQuery, Redshift) are a structural supply-chain attack surface that vendor-assessment checklists routinely miss. Audit delegated access grants for analytics tooling; enforce token scoping and expiry; require provider-side anomaly alerts; and treat any tenant-to-tenant credential propagation pattern (the four incidents above are all that pattern) as warranting a tabletop on revocation timing — Vimeo revoked privileged credentials and access tokens within hours of detection, which is the right reference performance.