Vercel April 2026 security incident
colesantiago
655 points
373 comments
April 19, 2026
https://vercel.com/kb/bulletin/vercel-april-2026-security-in...
Related Discussions
Found 5 related stories in 59.6ms across 5,012 title embeddings via pgvector HNSW
- Vercel may have been breached MattIPv4 · 18 pts · April 19, 2026 · 77% similar
- Vercel says internal systems hit in breach whiteyford · 377 pts · April 19, 2026 · 76% similar
- European Commission cloud breach: a supply-chain compromise Sandman · 16 pts · April 04, 2026 · 51% similar
- Vercel down in Dubai, EU affected also techterrier · 33 pts · March 02, 2026 · 51% similar
- The Resolv hack: How one compromised key printed $23M timbowhite · 78 pts · March 23, 2026 · 51% similar
Discussion Highlights (20 comments)
OsrsNeedsf2P
The lack of details makes me wonder how large this "subset" of users really is
MattIPv4
Related: https://news.ycombinator.com/item?id=47824426 https://x.com/theo/status/2045862972342313374 > I have reason to believe this is credible. https://x.com/theo/status/2045870216555499636 > Env vars marked as sensitive are safe. Ones NOT marked as sensitive should be rolled out of precaution https://x.com/theo/status/2045871215705747965 > Everything I know about this hack suggests it could happen to any host https://x.com/DiffeKey/status/2045813085408051670 > Vercel has reportedly been breached by ShinyHunters.
ofabioroma
Time to ipo
neom
https://x.com/theo/status/2045871215705747965 - "Everything I know about this hack suggests it could happen to any host" He also suggests in another post that Linear and GitHub could also be pwned? Either way, hugops to all the SRE/DevOps out there, seems like it's going to be a busy Sunday for many.
jtreminio
I'm on a macbook pro, Google Chrome 147.0.7727.56. Clicking the Vercel logo at the top left of the page hard crashes my Chrome app. Like, immediate crash. What an interesting bug.
rvz
There is no serious reason to use Vercel, other than for those being locked into the NextJs ecosystem and demo projects.
gneray
Oy vey: https://x.com/theo/status/2045862972342313374?s=46
0xy
This is why you pay a real provider for serious business needs, not an AWS reseller. Next.js is a fundamentally insecure framework, as server components are an anti-pattern full of magic leading to stuff like the below. Given their standards for framework security, it's not hard to believe their business' control plane is just as insecure (and probably built using the same insecure framework). Next.js is the new PHP, but worse, since unlike PHP you don't really know what's server side and what's client side anymore. It's all just commingled and handled magically. https://aws.amazon.com/security/security-bulletins/rss/aws-2...
mikert89
Much as I want to rip on vercel, its clear that ai is going to lead to mass security breaches. The attack surface is so large, and ai agents are working around the clock. This is a new normal. Open source software is going to change, companies wont be running random repos off github anymore
adithyasrin
The original link posted in the post has almost same content: https://vercel.com/kb/bulletin/vercel-april-2026-security-in...
adithyasrin
We run on Vercel and I wonder if / how long before we're alerted about a leak. Quick look online suggests environment variables marked as sensitive are ok, but to which extent I wonder.
swingboy
Is this one of those situations where _a lot_ of customers are affected and the “subset” are just the bigger ones they can’t afford to lose?
toddmorey
I've been part of a response team on a security incident and I really feel for them. However, this initial communication is terrible. Something happened, we won't say what, but it was severe enough to notify law enforcement. What floors me is the only actionable advice is to "review environment variables". What should a customer even do with that advice? Make sure the variable are still there? How would you know if any of them were exposed or leaked? The advice should be to IMMEDIATELY rotate all passwords, access tokens, and any sensitive information shared with Vercel. And then begin to audit access logs, customer data, etc, for unusual activity. The only reason to dramatically overpay for the hosting resources they provide is because you expect them to expertly manage security and stability. I know there is a huge fog of uncertainly in the early stages of an incident, but it spooks me how intentionally vague they seem to be here about what happened and who has been impacted.
nike-17
Incidents like this are a good reminder of how concentrated our single points of failure have become in the modern web ecosystem. I appreciate the transparency in their disclosure so far, but it definitely makes you re-evaluate the risk profile of leaning entirely on fully managed PaaS solutions.
jtokoph
This announcement in its current form is quite useless and not actionable. As least people won’t be able to say “why didn’t you say something sooner?” They said _something_
arabsson
So, the Vercel post says a number of customers were impacted, but not everyone, and they will contact the people that were impacted. I wasn't contacted so does that mean I'm safe?
zuzululu
What is the rationale for using vercel ? I'm getting a lot of value out of cloudflare with the $5/month plan lately but my bare metal box with triple digit ram has seen zero downtime since 2015.
_puk
Hmmm, the dashboard 404 I got 6 hours ago now makes a bit more sense..
nothinkjustai
Looks like their rampant vibe coding is starting to catch up to them. Expect to see many pre vulns like this in the future.
jheitzeb
Missing from Glasswing