The Vercel breach: What to do in the next 24 hours

On April 19, Vercel disclosed a security incident involving unauthorized access to internal environments. The root cause: a compromised OAuth token from Context.ai, a third-party AI tool that one Vercel employee had connected to their enterprise Google Workspace account. That single point of consent, granted months earlier, was enough for the attacker to get in.

‍

What happened

The attack has been traced back to a Context.ai employee whose laptop was infected with Lumma infostealer in February 2026, reportedly after downloading Roblox cheat scripts. That single infection exfiltrated Google Workspace credentials, API keys, session cookies, and OAuth tokens. This allowed the attacker to access the secrets used to authorized OAuth calls on behalf of users of Context.ai across many organizations.

‍

One of those users was a Vercel employee who had signed up with their corporate Google account and approved broad scopes. Two months later, the attacker used that token to take over the employee's Google Workspace account, pivoted into Vercel using the OAuth client, pivoted to the cloud environment, and enumerated Vercel environment variables that weren't marked as “sensitive.” Vercel assesses the attacker as highly sophisticated and has engaged Mandiant, additional cybersecurity firms, and law enforcement.

‍

Environment variables marked sensitive in Vercel are stored in a way that prevents them from being read, and Vercel says it has no evidence those values were accessed. Non-sensitive variables that decrypt to plaintext are the ones at risk.

‍

What to do now if you use Vercel

1. Rotate every environment variable that contains a secret (API keys, tokens, database credentials, signing keys) and wasn't marked sensitive. Treat those values as exposed.
2. Move secrets to Vercel's sensitive environment variables feature going forward.
3. Turn on two-factor authentication for every Vercel account in your org.
4. Review your account and environment activity logs for anomalies.
5. Audit recent deployments for anything unexpected. When in doubt, delete.
6. Set Deployment Protection to Standard at minimum, and rotate any Deployment Protection bypass tokens.

Check for use of Context.ai in your organization

The initial entry point for Vercel was through Context.ai. To ensure your organization is not similarly exposed, investigate any use of Context.ai by your employees.

‍

The OAuth app that was compromised has been deactivated by Context.ai. Search your Google Workspace for activity involving a grant with this client-id (as shared by Vercel):

‍

110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com

‍

Any account with activity related to this grant should be considered exposed.

‍

The wider lesson for every security team

This breach didn't start at Vercel. It started at a vendor most security teams have never heard of, and it traveled through an OAuth grant one employee enabled months ago. That's the shape of modern supply-chain compromise: An infostealer hits a vendor you don't do business with, the attacker works backwards from stolen access, and an old consent becomes the front door.

‍

Use the next 24 hours to look past the Vercel-specific response and tighten a few things that matter for any breach shaped like this one:

• Audit third-party OAuth grants across Google Workspace and Microsoft 365. Look for overly broad scopes, unused grants, and apps that didn't go through security review.
• Inventory every SaaS and AI tool (and integrations) employees have signed up for with corporate credentials. They're third-party dependencies whether they went through procurement or not.
• Consider restricting Google Workspace OAuth grants with certain scopes by default, or change the settings to "Allow users to access third-party apps that only request basic info needed for Sign in with Google," and enable “User requests to access unconfigured apps to approve new Google Workspace integrations.”
• Review shared accounts and group mailboxes. MFA is usually missing, passwords rarely rotate, and they quietly accumulate access.
• Watch infostealer feeds and public breach dumps for your corporate domain. The Context.ai compromise was visible in threat intel for weeks before Vercel was hit.

Supply-chain compromises don't care whether you signed a contract with the vendor. If an employee granted a token, you're in scope.

‍

Sources

• ‍Vercel April 2026 security incident (Vercel Knowledge Base)‍
• Context.ai Security Update‍
• Infostealers Investigation