ShinyHunters Gang Linked to Vimeo Data Breach Exposing 119,000 Users' Personal Information

The ShinyHunters extortion collective accessed personal data belonging to more than 119,000 individuals after breaching Vimeo's systems in April, according to breach notification records compiled by Have I Been Pwned. The incident traces back to a compromise at Anodot, a data anomaly detection software provider that integrates with Vimeo's platform, highlighting a supply chain exposure vector that has become increasingly prevalent in enterprise data theft campaigns.

Vimeo, a Nasdaq-listed video hosting service with over 300 million registered accounts and more than 1,100 employees, reported revenues of $417 million for fiscal year 2024. The company confirmed the unauthorized data access on April 27, acknowledging that customer and user information had been obtained without authorization. Anodot's breach is connected to a broader wave of attacks targeting SaaS integrators and data vendors that hold sensitive information for downstream corporate clients. The ShinyHunters group, known for previous high-profile extortion operations, has claimed responsibility and reportedly attempted to monetize the stolen data.

Security researchers warn that such third-party service compromises create amplified risk for affected users, as attackers can leverage personal details across credential stuffing, phishing, and social engineering campaigns. Vimeo users whose information appeared in the breach dataset should monitor for suspicious account activity, phishing attempts, and consider credential rotation. The incident adds to a growing list of supply chain breaches affecting major platforms and raises renewed questions about vendor security assessment practices in the SaaS ecosystem.