The Vercel breach exploited shadow SaaS, overpermissioned OAuth grants, and reused credentials. Here's how to find and close each of those gaps in Nudge Security—before the next one hits.
In April 2026, Vercel disclosed a breach that traced back to a single Context.ai employee. That employee had signed up for a tool using their enterprise Google account, clicked through an OAuth consent screen granting broad access, and reused a password that had already been stolen by infostealer malware. The attacker pivoted from those credentials into Vercel's systems, then enumerated secrets from environment variables that weren't marked sensitive.
No single gap caused the breach. It was the combination—unsanctioned SaaS adoption, overpermissive OAuth grants, weak credential hygiene, and a misconfigured posture setting—that made it possible.
Each of those gaps is something Nudge Security is built to surface. Here's how to work through them.
The Context.ai tool that started this breach was never reviewed by Vercel's security team. It didn't need to be—one employee signing up with a corporate Google account was enough to create the exposure.
Traditional vendor inventories won't catch this. They reflect what went through procurement, not what employees actually signed up for. In Nudge Security, your SaaS inventory is built from what's actually in use, not what's on an approved list.
What to do in Nudge Security: Navigate to the App Discovery view to see every SaaS and AI tool your employees have created accounts in, including apps that were never sanctioned. For each new app, you'll see which employee signed up, when, and what scopes were granted. Filter by "AI tools" to focus specifically on the category of apps most likely to be adopted without IT review. You can also set up alerts to notify you the moment a new account is created in a high-risk app category, so you're not finding out weeks later.
For any app in your inventory, you can pull up the vendor security profile—breach history, the vendor's own SaaS dependencies, and security ratings—to assess risk without having to research it from scratch. That's the context you need to decide whether to sanction, restrict, or revoke access.
The Vercel incident rode on one "Allow All" click. That OAuth grant gave Context.ai broad access to workspace data, and it sat there—presumably with more access than anyone remembered—until it was exploited.
Most organizations have hundreds or thousands of OAuth grants across Google Workspace or Microsoft 365. The vast majority were approved by employees, not IT. Many are forgotten, idle, and still permissioned.
What to do in Nudge Security: The OAuth Grants table shows every active grant across your identity provider—who approved it, what scopes it carries, when it was last used, and a risk score based on the permissions requested. Sort by risk score to surface the grants that carry the most access. Filter by "last activity" to find ones that haven't been active in 30, 60, or 90 days but still hold privileged permissions.
When you find a grant that needs to go, you can revoke it directly from Nudge Security in two clicks—no need to hunt through admin consoles. For overpermissive grants you want to flag for review rather than revoke immediately, you can assign them to the app owner and track remediation from the same view.
After the Vercel breach, this is the first place to look: search for any grants connected to Context.ai or Vercel and assess what access they carry.
Vercel's own disclosure called out environment variables that weren't marked as sensitive as the posture gap that let the attacker enumerate secrets after gaining access. This is exactly the kind of configuration drift that's invisible without dedicated tooling—no alert fires, no policy is technically violated, but the exposure is real.
What to do in Nudge Security: If you have the Vercel connected app enabled, navigate to Findings and filter by app to Vercel. Nudge Security includes a specific finding for environment variables that aren't flagged as sensitive—the exact misconfiguration Vercel identified in their disclosure. Each finding includes an overview, the recommended resolution workflows and step-by-step remediation instructions.
If you haven't connected the Vercel app yet, this is a good moment to do it. The connection takes a few minutes, and you'll immediately get a posture baseline for your Vercel environment, including any other configuration gaps beyond the environment variable issue.
Infostealer malware pulled credentials from the Context.ai employee's device, and those credentials worked in part because passwords were being reused. That's not an unusual finding—it's one of the most common issues Nudge Security surfaces across every customer environment.
What to do in Nudge Security: The browser extension continuously monitors for weak passwords, reused passwords, and accounts that are bypassing SSO or MFA across your SaaS estate. You can see which employees have credential hygiene issues and which apps are involved, without accessing the passwords themselves.
Nudge Security also cross-references your employee accounts against known credential dumps. If a corporate email address appears in a public breach, you'll see it flagged with the source and the affected app—so you can act before an attacker does.
For high-risk employees or those in sensitive roles, you can trigger a nudge directly from Nudge Security prompting them to update weak or reused passwords, with context about why it matters.
One of the credentials recovered from the Context.ai employee's device was a shared support account—[email protected]. Shared accounts are a reliable lateral movement path: no individual owns them, MFA is rarely enforced, and they tend to accumulate access to every tool the team has ever used.
What to do in Nudge Security: We flag shared accounts and shared mailboxes across your SaaS estate. Nudge Security identifies these based on account naming patterns and usage signals, then surfaces which apps they're still active in and what access they hold.
For each shared account you find, you can see the full list of apps it has access to, assess whether that access is still appropriate, and revoke or restrict from the same interface. You can also flag shared accounts for conversion to service accounts with proper ownership and MFA enforcement.
Context.ai also offered a Chrome extension connected to the same Google account—another potential vector for supply chain compromise that often goes completely unreviewed. Browser extensions are granted OAuth-level permissions, operate inside the browser where most SaaS authentication happens, and rarely get the same scrutiny as app integrations.
What to do in Nudge Security: The Browser Extensions Inventory shows every extension installed across your managed devices, the permissions each one requests, and a risk rating based on those scopes.
You can export the browser extension inventory as a CSV or via API for remediation.
Nudge Security maintains security profiles for more than 200,000 SaaS vendors, including each vendor's own SaaS supply chain. When a breach is disclosed—either at a vendor you use directly or at a vendor your vendors depend on—Nudge Security surfaces the alert along with which of your employees have accounts in that app.
You don't have to wait for a disclosure email or monitor news feeds. When the Vercel breach was disclosed, Nudge Security customers could immediately see which employees had Vercel accounts, what integrations those accounts had wired up, and whether any active OAuth grants connected to the breach needed immediate action.
What to do in Nudge Security: In the breaches view, you'll see active alerts for any vendor in your inventory with a recent breach disclosure. Each alert links to the affected app in your inventory so you can go straight to the accounts and grants that need attention. Set up notifications so your team gets alerted the moment a breach hits a vendor you're using—not hours or days later.
No individual feature would have stopped the Vercel breach on its own. What makes the difference is being able to move quickly across all of these dimensions at once: knowing which employees had Context.ai accounts, seeing what those OAuth grants could access, catching the Vercel posture gap before the attacker found it, and flagging the credential reuse before it became a problem.
That's what Nudge Security is built for.
If you want to run through this checklist against your own environment, start a free trial or book a demo.
