A Roblox cheat and one AI tool brought down Vercel's platform

EdwardDiego

A frigging Roblox cheat... And I thought it was bad when my son got compromised by a Roblox cheat, but they only they grabbed his Gamepass cookies and bought 4 Minecraft licenses, which MS quickly refunded...

jesse_dot_id

> How many developers do you think knew that checkbox existed? How many assumed their database credentials and API keys were encrypted by default? If I don't see asterisks, I'm not hitting save on the field with a secret in it. Maybe they were setting them programmatically? They should definitely still be looking to pass some kind of a secret flag, though. This is a weird problem for a company like Vercel to have.

ethin

This looks really really AI-generated even if the author did try to hide it by making some grammar elements improper. Idk if that diminishes it's accuracy though.

varun_ch

Context.ai seems like it was the SPOF. By definition it has a lot of your data, and they didn’t secure it properly.

R41

good article, these AI products are crazy supply chain risks.

mudkipdev

I'm getting a "failed to verify your browser" error on this article

ChrisArchitect

Related: Vercel April 2026 security incident https://news.ycombinator.com/item?id=47824463

ryanisnan

Convenience is our Achilles heel, as a society. We'll keep dangerous devices like the SuperBox in our homes, if it helps us get access to free movies and tv. We'll use single-use plastics, even if we know they're bad for the environment, because they're just so damn easy. We'll let AI run that thing for us, because it's just too easy. A whole generation has grown up without knowing what it was like to infect your computer with AIDS trying to download an MP3, and it shows. That caution will come back, just at a terrible cost.

yoaviram

I believe this is inaccurate. Vercel env vars are all encrypted at rest (on their side). The 'sensitive' checkbox means you can't retrieve the value once it's set, which would have saved your ass in this case. Also, annoying to read an article like this without a single link to source material.

kstrauser

I think this is wrong about what “sensitive” means here. AFAIK, all Vercel env cars are encrypted. The sensitive checkbox means that a develop looking at the env var can’t see what value is stored there. It’s a write-only value. Only the app can see it, via an env var (which obviously can’t be encrypted in such a way that the app can’t see it, otherwise it’d be worthless). If you don’t check that box, you can view the value in the project UI. That’s reasonable for most config values. Imagine “DEFAULT_TIME_ZONE” or such. There’s nothing gained from hiding it, and it’d be a pain in the ass come troubleshooting time. So sensitive doesn’t mean encrypted. It means the UI doesn’t show the dev what value’s stored there after they’ve updated it. Not sensitive means it’s still visible. And again, I presume this is only a UI thing, and both kinds are stored encrypted in the backend. I don’t work for Vercel, but I’ve use them a bit. I’m sure there are valid reasons to dislike them, but this specific bit looks like a strawman.

trick-or-treat

According to the email I got from Vercel it was a limited subset of customers and I'm not one: Initially, we identified a limited subset of customers whose Vercel credentials were compromised. We reached out to that subset and recommended that they rotate their credentials immediately. At this time, we do not have reason to believe that your Vercel credentials or personal data have been compromised.

doctorpangloss

This article is LLM authored and full of hallucinations. "Let that sink in for a second."