HIGH·supply-chain

Vercel — customer data stolen via Context.ai third-party AI tool breach

Vercel was breached through Context.ai, a third-party AI evaluation tool. A Vercel employee signed up for Context.ai's Office Suite using their Vercel enterprise account and granted 'Allow All' permissions. ShinyHunters listed the stolen customer data for $2 million.

Victim: Vercel + Vercel customers

What happened

TechCrunch reported on April 20, 2026 that Vercel had confirmed a security incident traced to Context AI, an AI evaluation startup. The chain: Context.ai got compromised → attackers used the Vercel employee's OAuth-granted access → exfiltrated customer credentials. The same incident played as a cautionary tale about default-allow OAuth scopes on AI tools.

Timeline

  1. Vercel employee signs up for Context.ai Office Suite using enterprise SSO; grants 'Allow All' permissions.

  2. Context.ai breach occurs; attacker harvests OAuth-linked customer accounts including Vercel employee's.

  3. Vercel publicly confirms incident; TechCrunch reports stolen customer data.

  4. ShinyHunters threat actor lists data on dark-web markets at $2M asking price.

  5. Vercel KB publishes detailed bulletin; customers advised to rotate exposed credentials.

Root cause

OAuth scope-overreach: the Vercel employee granted 'Allow All' permissions to a third-party AI tool with weak supply-chain hygiene. When Context.ai itself got breached, the attacker inherited the broad scope. The breach is an application of the AI-supply-chain risk class CLAUDE.md flags as in-scope for Securie's mcp-guard layer.

Impact

  • Limited customer credentials exfiltrated from Vercel
  • ShinyHunters listed for $2M on dark-web markets
  • Cascade across other Context.ai customers (Vercel was one of many)
  • Reputational damage to both Vercel + Context.ai
Would Securie have caught it?

Partially. Securie's mcp-guard crate's TrustedCatalog + Validator + ScopeGuard layers reject any third-party tool whose declared scope drifts wider than the operator-pinned baseline. The customer-side fix is OAuth-app review hygiene + default-narrow scopes; Securie's role is detecting scope drift after install. Note: protecting employee laptops + BEC email attacks is OUT OF SCOPE per CLAUDE.md (CrowdStrike / Proofpoint territory).

Lessons

  • Never grant 'Allow All' permissions to third-party AI tools
  • OAuth-app review must be quarterly + tied to a vendor inventory
  • Sub-processor risk surfaces rapidly — every AI tool you install becomes part of your attack surface
  • Enterprise SSO should require approval for new third-party app permissions

References