The ShinyHunters extortion gang stole private info belonging to over 119,000 individuals after hacking the Vimeo on-line video platform in April, in response to data breach notification service Have I Been Pwned.
Vimeo is a video internet hosting and streaming platform publicly traded on the Nasdaq inventory market, with over 300 million registered customers and over 1,100 workers, and reported revenues of $417 million for FY2024.
The corporate disclosed on April 27 that buyer and consumer information had been accessed with out authorization following a current breach at Anodot, a knowledge anomaly detection firm.
“Our preliminary findings recommend that the databases accessed primarily comprise technical information, video titles and metadata, and, in some instances, buyer e mail addresses,” Vimeo stated.
Nevertheless, the corporate stated the assault did not trigger any disruptions and that the risk actors did not acquire entry to affected people’ credentials or monetary info. Vimeo additionally disabled all Anodot credentials after detecting the breach and eliminated the Anodot integration with its methods to chop off the attackers’ entry.
“The info accessed doesn’t embrace Vimeo video content material, legitimate consumer login credentials, or fee card info. Vimeo consumer and buyer login credentials are safe. This incident didn’t trigger any disruption to our methods or service,” it added. “Upon studying of the incident, we promptly disabled all Anodot credentials, eliminated the Anodot integration with Vimeo methods, and engaged third-party security specialists to help with the investigation. We now have additionally notified regulation enforcement.”
After Vimeo’s disclosure, the ShinyHunters cybercrime group leaked a 106GB archive of stolen paperwork on its darkish net information leak website after failing to extort the corporate.
“Your Snowflake and Bigquery cases information was compromised because of Anodot.com,” the extortion gang stated. “The corporate failed to achieve an settlement with us regardless of our unbelievable persistence, all the possibilities and provides we made.”
Whereas Vimeo has but to reveal the overall variety of people whose info was stolen within the incident, data breach notification service Have I Been Pwned analyzed the stolen information and reported that the breach uncovered the e-mail addresses and (in some instances) names of 119,200 individuals.
Beforehand, the cybercrime group advised BleepingComputer that it had stolen information from dozens of firms utilizing Anodot authentication tokens. ShinyHunters additionally confirmed they tried to steal information from Salesforce cases, however stated they had been blocked by AI-based detection.
ShinyHunters has additionally been linked to a widespread vishing marketing campaign that targets workers’ and Enterprise Course of Outsourcing (BPO) brokers’ Microsoft Entra, Okta, and Google SSO accounts.
After breaching company SSO accounts, they steal information from related SaaS functions, together with Salesforce, SAP, Slack, Adobe, Atlassian, Zendesk, Dropbox, Microsoft 365, Google Workspace, and others.
Different breaches claimed by ShinyHunters in current weeks embrace the European Fee, Rockstar Video games, edtech big McGraw Hill, and, extra lately, medical gadget maker Medtronic, cruise line operator Carnival, quick vogue retailer Zara, comfort retailer chain 7-Eleven, and on-line coaching firm Udemy.
AI chained 4 zero-days into one exploit that bypassed each renderer and OS sandboxes. A wave of latest exploits is coming.
On the Autonomous Validation Summit (Could 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls maintain, and closes the remediation loop.
Declare Your Spot
