Vercel confirms unauthorized access to internal systems

In short: Vercel says someone gained unauthorized access to its internal systems around April 20, 2026, and a hacker group claims it stole data from a limited set of customers.

What happened

Vercel, a company that hosts and deploys websites and web apps, confirmed a “security incident” involving unauthorized access to its internal systems on or around April 20, 2026. Vercel said the impact affected a limited subset of its customers.

Reports say the stolen information may have come from Vercel’s internal database, which is like a central filing cabinet for company systems. The leak is described as including things like access keys and API keys (digital keys that let software talk to other software), employee accounts, source code (the instructions that make an app run), and tokens tied to developer tools like GitHub and NPM.

A person claiming to be part of the hacker group ShinyHunters posted samples online, including employee names, email addresses, and activity timestamps. The same person also attempted to sell the data on a hacking forum called BreachForums for $2 million, according to the reports.

Vercel has not publicly listed specific customer data that was exposed beyond saying the incident involved internal systems. The reports also note this is separate from other Vercel security bulletins about Next.js and React issues, which were described as software flaws that could cause service disruption or accidental code exposure, not confirmed data theft.

Why it matters

If you or your company uses Vercel, leaked “keys” and “tokens” can matter even if no passwords were stolen. They can work like copied spare keys to important accounts. Some community members are advising customers to change passwords and rotate access tokens as a precaution.

Source: The Verge AI