Skip to main content
Emerging ThreatsData Breaches

Vimeo Breach Exposes User Data After Anodot Hack

Brightly-lit data center interior with servers and storage units symbolizing secure user data.
"We have identified that, as a result of the Anodot breach, an unauthorized actor accessed certain Vimeo user and customer data. Our initial findings suggest that the databases accessed primarily contain technical data, video titles and metadata, and, in some cases, customer email addresses," Vimeo states.

What Vimeo says was exposed — and what was not

Vimeo’s initial disclosure narrows the impact: the company says the data accessed after the Anodot incident was largely technical in nature — video titles and metadata — and that some customer email addresses were included. Vimeo specifically told investigators and the public that the exposed information does not include users' uploaded video content, account credentials, or payment card information. The company also reported that its platform operations remained unaffected.

How the Anodot incident enabled downstream access

The chain begins at Anodot, a data anomaly detection provider. In that incident, attackers stole authentication tokens and used them to access customer environments, primarily Snowflake, and to exfiltrate data from multiple organizations. The same activity has been linked to the extortion group ShinyHunters, which is now attempting to monetize data taken from several downstream victims.

ShinyHunters' public claims and the extortion timeline

ShinyHunters listed Vimeo on its extortion portal and claimed to have data from the company's Snowflake and BigQuery instances. The group demanded a ransom and threatened to publish the stolen data by April 30 unless Vimeo paid. In addition to the leak threat, the actor warned the platform to expect “several annoying digital problems.” In other cases tied to the same campaign, ShinyHunters claimed to have exfiltrated large datasets from other victims — including a claim that it took more than 78.6 million records from Rockstar Games — though for Vimeo the extortion post did not specify the amount of data allegedly taken.

Vimeo's immediate response and investigative steps

Vimeo says it has disabled all Anodot credentials and removed the service’s integration with its systems. The company has engaged third‑party security experts to investigate and has notified law enforcement authorities. Vimeo also pledged to provide updates should the investigation uncover important new information about the incident.

What this means for technologists, procurement leaders, and end users

  • Technologists and security teams: The incident underscores a specific technical risk: stolen authentication tokens at a third‑party provider can enable access to downstream customer environments (the source cites Snowflake as a primary target). Teams will watch for credential misuse, review third‑party token management, and validate that integrations can be rapidly disabled — steps Vimeo has already taken.
  • Affected enterprises and procurement leaders: Organizations that use anomaly‑detection or analytics SaaS that integrate with centralized data warehouses (Snowflake, BigQuery) will likely reassess contractual and operational controls around token issuance, rotation, and third‑party access to sensitive datasets. The Anodot case shows how a single provider breach can cascade into multiple customer exposures.
  • End users and the general public: Vimeo’s statement narrows the immediate privacy risk: uploaded video content, account passwords, and payment card details were not exposed, according to the company. Still, users whose email addresses may have been included should be alert for phishing and other nuisance activity tied to the extortion actor’s stated warning of “several annoying digital problems.”

Vimeo is a sizable platform — the company enables over 300 million registered users, employs more than 1,100 people, reported annual revenue of $417 million, and is publicly traded on the Nasdaq market — and the company’s public statements emphasize containment and investigation rather than operational disruption. The key facts for now are straightforward: Anodot tokens were stolen, ShinyHunters claims to have accessed Vimeo databases primarily containing technical metadata and some emails, Vimeo disabled the integration and notified authorities, and the extortion group has set an April 30 deadline to publish the data unless a ransom is paid.

The next concrete milestones are documentary rather than speculative: whether ShinyHunters publishes the claimed data by April 30, and whether Vimeo’s ongoing investigation and its third‑party experts turn up additional impacted records or new technical details about the route of access. Vimeo has promised updates if investigators uncover important new information; until then the record rests on the company’s containment actions and the extortionist’s public claims.

Original story