Vimeo

On April 4, 2026, the ShinyHunters extortion group compromised Anodot, a third-party analytics vendor used by Vimeo. Using stolen authentication tokens, attackers accessed Vimeo's Snowflake and BigQuery cloud environments. When ransom negotiations failed, ShinyHunters dumped 106GB of stolen data on their dark web leak site with a message: "Your Snowflake and BigQuery instances data was compromised thanks to Anodot.com."

119,200 unique email addresses. Names for a subset of users. Video titles. Technical metadata. Vimeo confirmed the breach did not include video content, login credentials, or payment card information—but 106GB of data still walked out the door.

Have I Been Pwned noted that 56% of the affected accounts were already exposed in prior breaches. For those users, this is another credential stuffing opportunity. For the other 44%, this is their first appearance in a breach database.

Vimeo users include independent filmmakers, businesses hosting product videos, educators sharing course content, and media companies distributing premium content. Their email addresses are now public. Combined with video titles and metadata, attackers know what content each user uploaded or watched.

For creators, this is targeting data. Phishing emails referencing specific videos they uploaded. Impersonation attempts using their content history. For businesses, it's a map of their video marketing operations—which products they're promoting, which training materials they've created, which internal communications they've recorded.

Using enterprise cloud infrastructure. Snowflake and BigQuery are industry-standard data platforms with robust security controls. Vimeo didn't store data in some forgotten server—they used the same cloud analytics stack that Fortune 500 companies rely on.

Anodot is a business intelligence platform that helps companies analyze metrics and detect anomalies. To do that job, it needs access to your data. Vimeo gave Anodot authentication tokens for their Snowflake and BigQuery environments because that's how modern analytics integrations work. When Anodot was compromised, those tokens became the attack vector.

Vimeo knew Anodot had access to their analytics environments. That's how the integration was designed. What they may not have fully mapped: exactly which user data those environments contained, which tables held email addresses paired with names, which queries Anodot could run against their production data.

106GB is a lot of data. When Vimeo said the breach "does not include video content, valid user login credentials, or payment card information," they were drawing boundaries around what they thought was sensitive. But 119,200 email addresses with names and content metadata was apparently accessible—and apparently not classified as high-risk enough to warrant tighter access controls.

Vimeo's response was swift: disable Anodot credentials, remove the integration, engage security experts and law enforcement. But by April 30—three weeks after the breach—ShinyHunters was already threatening to publish if ransom demands weren't met. Negotiations failed. The data went public.

ShinyHunters used the same Anodot pathway to hit Rockstar Games. This wasn't a one-off—it was a campaign. Anodot's customer list became a target list, and each integration was another potential breach waiting to happen.