Vercel, a cloud platform for developers, has been hacked; a 'third-party AI tool' is suspected to be the attack's vector.

A security incident involving unauthorized access occurred in April 2026 at Vercel, a cloud platform for front-end developers, affecting some customers. Vercel explained that the intrusion was caused by a compromised Google Workspace OAuth app using a third-party AI tool.

Vercel April 2026 security incident | Vercel Knowledge Base
https://vercel.com/kb/bulletin/vercel-april-2026-security-incident

We've identified a security incident that involved unauthorized access to certain internal Vercel systems, impacting a limited subset of customers. Please see our security bulletin: https://t.co/0S939n3qHC

— Vercel (@vercel) April 19, 2026

Vercel stated that it had detected unauthorized access to parts of its internal systems, and therefore hired incident response specialists to investigate and contain the issue, and also notified law enforcement agencies.

According to the IT news site The Verge , someone claiming to be a member of the hacker group ' ShinyHunters ' posted some data online, including employee names, email addresses, and timestamps of their activities.

On the other hand, Vercel states that the service itself is continuing to operate, that only a limited number of customers have been affected so far, and that they are contacting affected customers individually.

Vercel explained that the breach was caused by 'a small third-party AI tool, the Google Workspace OAuth app, being targeted by a widespread compromise that could affect hundreds of users across multiple organizations.'

As a countermeasure for users, Vercel is urging them to check their account and environment activity logs for any suspicious activity. In addition, they recommend that environment variables containing sensitive information such as API keys, tokens, database credentials, and signing keys that were not set as 'sensitive' be changed as a priority, as they may have been leaked. They also recommend using features that protect sensitive environment variables in a way that prevents them from being read.

Furthermore, the company requests that users review their recent deployment history for any suspicious activity, delete anything necessary, set Deployment Protection to at least 'Standard,' and rotate any associated tokens.

In addition, Google is urging Google Workspace administrators and Google account owners to immediately check if the problematic OAuth app is being used, and has also released the OAuth App identifier '110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com' as an IOC to assist in the investigation.