Vimeo breach by ShinyHunters exposes personal info of 119,000 users

Video hosting platform Vimeo has confirmed that a data breach exposed the personal information of more than 119,000 users after cybercriminal group, ShinyHunters, allegedly compromised data through a third-party analytics provider.

The breach has been linked to a wider campaign targeting organizations connected to Anodot, a cloud analytics company whose integrations reportedly gave attackers access to customer Snowflake environments.

What happened

According to TechRadar, unauthorized actors accessed certain Viemo user and customer databases containing technical information, video titles, metadata, and some customer email addresses. The company said the compromise originated from a breach involving Anodot rather than Vimeo’s own internal infrastructure.

Analysis from Have I Been Pwned later revealed that approximately 119,200 unique email addresses were exposed, with some records also containing user names.

Going deeper

The incident has been attributed to the cyber-extortion group ShinyHunters, a notorious hacking collective known for “pay-or-leak” campaigns targeting cloud-connected organizations and SaaS platforms. Reports indicate that ShinyHunters exploited Anodot’s third-party integration capabilities to access customers’ Snowflake accounts, including Vimeo’s.

Initially, Vimeo believed the attackers had only accessed technical data and metadata. However, after ransom negotiations reportedly failed, ShinyHunters leaked around 106GB of stolen documents online, significantly expanding the scope of the exposure.

The leaked information mainly includes video metadata, technical records, email addresses, and names, but warns that even limited personal data can be valuable to cybercriminals conducting phishing or identity fraud campaigns.

Following the discovery, Vimeo revoked Anodot credentials, removed the integration from its systems, launched an investigation with third-party cybersecurity experts, and notified law enforcement.

What was said

Vimeo told Bleeping Computer that their “initial findings suggest that the databases accessed primarily contain technical data, video titles and metadata, and, in some cases, customer email addresses.” The company also stated that the attack did not result in any disruptions, and the threat actors were unable to access individuals' credentials or financial information.

The company then noted that “The data accessed does not include Vimeo video content, valid user login credentials, or payment card information. Vimeo user and customer login credentials are secure. This incident did not cause any disruption to our systems or service." It also added that "Upon learning of the incident, we promptly disabled all Anodot credentials, removed the Anodot integration with Vimeo systems, and engaged third-party security experts to assist with the investigation. We have also notified law enforcement.”

In the know

A “pay-or-leak” extortion attack is a form of cybercrime in which attackers steal sensitive data from an organization and threaten to publicly release it unless a ransom is paid. Unlike traditional ransomware attacks that focus on encrypting systems and disrupting operations, pay-or-leak campaigns center on the exposure of confidential information such as customer records, financial data, emails, or internal documents.

The bigger picture

The Vimeo breach is the latest in a string of high-profile cyber incidents linked to the ShinyHunters extortion group, which has intensified its operations throughout 2026.

In April, it was implicated in an attack against Medtronic, where the group stole “more than 9 million records, including personal and corporate data, and issued an ultimatum: pay a ransom or face public exposure of the data.” In the same month, Udemy was the victim of a cyberattack carried out by ShinyHunters. This attack affected approximately 1.4 million people.

ShinyHunters continues to terrorize organizations through “pay-or-leak” extortion campaigns that target cloud services, SaaS platforms, and third-party vendors. This recent attack demonstrates that these attacks are not going to stop anytime soon and organizations should prioritize prevention instead of mitigation.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQS

How are pay-or-leak attacks different from ransomware?

Traditional ransomware attacks encrypt files and systems to disrupt operations, while pay-or-leak attacks focus on stealing sensitive data and threatening to release it publicly unless a ransom is paid. Some attackers use both tactics simultaneously.

Why do cybercriminals leak stolen data online?

Attackers leak data to pressure victims into paying ransoms, damage company reputations, or increase publicity around their attacks. Public leaks can also help cybercriminals prove they possess the stolen information.

What are supply chain attacks?

Supply chain attacks occur when cybercriminals compromise a trusted third-party vendor, software provider, or service partner to gain access to multiple organizations indirectly.