Vimeo data breach exposes private data of 119,000 of us
Online fraud
The ShinyHunters extortion gang stole private data belonging to over 119,000 of us after hacking the Vimeo online video platform in April, in line with data breach notification carrier Score I Been Pwned.
Vimeo is a video cyber net cyber net hosting and streaming platform publicly traded on the Nasdaq stock market, with over 300 million registered customers and over 1,100 employees, and reported revenues of $417 million for FY2024.
“Our initial findings suggest that the databases accessed primarily contain technical data, video titles and metadata, and, in some cases, customer email addresses,” Vimeo acknowledged.
Nonetheless, the firm acknowledged the assault did not jam off any disruptions and that the possibility actors did not succeed in safe admission to to affected other folks’ credentials or financial data. Vimeo additionally disabled all Anodot credentials after detecting the breach and eradicated the Anodot integration with its systems to prick off the attackers’ safe admission to.
“The data accessed does not include Vimeo video content, valid user login credentials, or payment card information. Vimeo user and customer login credentials are secure. This incident did not cause any disruption to our systems or service,” it added. “Upon learning of the incident, we promptly disabled all Anodot credentials, removed the Anodot integration with Vimeo systems, and engaged third-party security experts to assist with the investigation. We have also notified law enforcement.”
After Vimeo’s disclosure, the ShinyHunters cybercrime team leaked a 106GB archive of stolen documents on its darkish net data leak put after failing to extort the firm.
“Your Snowflake and Bigquery instances data was compromised thanks to Anodot.com,” the extortion gang acknowledged. “The company failed to reach an agreement with us despite our incredible patience, all the chances and offers we made.”
Vimeo entry on ShinyHunters leak put (BleepingComputer)
Whereas Vimeo has yet to repeat the total different of other folks whose data became stolen in the incident, data breach notification carrier Score I Been Pwned analyzed the stolen data and reported that the breach exposed the e-mail addresses and (in some cases) names of 119,200 of us.
Previously, the cybercrime team told BleepingComputer that it had stolen data from dozens of companies using Anodot authentication tokens. ShinyHunters additionally confirmed they attempted to take data from Salesforce cases, nonetheless acknowledged they had been blocked by AI-basically based completely mostly detection.
ShinyHunters has additionally been linked to a fresh vishing campaign that targets employees’ and Industry Job Outsourcing (BPO) agents’ Microsoft Entra, Okta, and Google SSO accounts.
After breaching corporate SSO accounts, they take data from connected SaaS applications, at the side of Salesforce, SAP, Slack, Adobe, Atlassian, Zendesk, Dropbox, Microsoft 365, Google Workspace, and others.
Other breaches claimed by ShinyHunters in most contemporary weeks contain the European Rate, Rockstar Games, edtech huge McGraw Hill, and, extra recently, medical machine maker Medtronic, cruise line operator Carnival, swiftly fashion retailer Zara, convenience store chain 7-Eleven, and online training firm Udemy.
