More than 119,000 Vimeo users' email addresses were extracted in a breach traced to a third‑party analytics vendor, according to the breach notification service Have I Been Pwned.
What was taken: emails, metadata and technical data — not video, logins or cards
Vimeo confirmed last week that data was taken from its systems but did not disclose the total number of affected accounts. The company told customers the stolen databases were "heavy on technical data, video titles, metadata, and some customer email addresses." Vimeo also emphasized what was not included in the haul: no actual video content, no valid login credentials, and no payment card information.
Have I Been Pwned (HIBP) now quantifies part of the fallout, identifying 119,000 unique email addresses — in some cases paired with names — among the material released. Those figures come after a public dump posted by a group known as ShinyHunters.
How the intruders say they got in: Anodot integration, not a direct Vimeo breach
Vimeo attributes the incident to an integration with Anodot, a third‑party analytics provider used across Vimeo’s systems. The company said the attacker gained access via that integration rather than by breaking directly into Vimeo. In response, Vimeo says it disabled Anodot credentials, removed the integration, engaged outside security help and notified law enforcement; the investigation is ongoing and the company has promised to update customers as it learns more.
Anodot has not issued a public statement about the incident. The vendor’s own status page shows the incident kicked off on April 4.
ShinyHunters' claims and the size of the dump
The episode first surfaced in April when the ShinyHunters crew added Vimeo to its "pay or leak" list, claiming it had pulled "hundreds of gigabytes of data" and threatening to dump the lot unless a deal was struck. That dump has since landed.
ShinyHunters went further in a post seen by The Register, alleging that "Snowflake and BigQuery instances data was compromised thanks to Anodot.com," and saying the company "failed to reach an agreement" despite multiple attempts to negotiate. Those are claims by the attackers as reported to The Register; Vimeo's public statements point to Anodot as the integration through which access occurred but do not confirm the wider allegations about Snowflake or BigQuery instances.
Why 119,000 emails matter
Vimeo’s characterization of the stolen material as heavy on metadata and email addresses does not make the incident harmless. As the reporting notes, "Email lists like this get reused, resold, and recycled into phishing runs for years, especially when they come with enough context to make a message look convincing." HIBP’s tally gives a concrete measure of at least part of the compromise — a sizable list that can seed fraud and phishing even when credentials and payment data are absent.
What this means for Vimeo customers, Vimeo’s security team, and Anodot
- Vimeo customers and end users: Those with accounts should assume that email addresses and some contextual metadata may be circulating. Vimeo has said it will update customers as the investigation develops.
- Vimeo’s security and procurement teams: The company has removed the Anodot integration, disabled credentials and brought in outside security assistance. The incident underscores an active focus on vendor‑side controls and incident response while the investigation continues.
- Anodot and third‑party analytics providers: Anodot has not publicly commented, though its status page records an incident beginning April 4. The breach narrative centers on an integration vector; the role of analytics platforms and how their access is governed will be a focal point in the ongoing inquiry.
The sequence of events — ShinyHunters' "pay or leak" listing, a public dump, HIBP's 119,000‑address count, and Vimeo's actions to sever Anodot access — leaves a clear, if incomplete, public record. It also underlines a recurring operational risk: an organisation can harden its own perimeter, but a vendor integration may provide a different path in. Vimeo says the probe is ongoing and that it will update customers as it learns more.
Original reporting: ShinyHunters claims dump puts 119K Vimeo emails in the wild — The Register




