Tools / News / Vimeo Confirms 119,000 User Records Exposed Through a Third-Party Analytics Vendor
Press

Vimeo Confirms 119,000 User Records Exposed Through a Third-Party Analytics Vendor

· VaultTools

ShinyHunters did not breach Vimeo. They breached Anodot, the analytics vendor sitting next to it, and walked out with 106 GB of customer data. The lesson lands on every SaaS that handles user files.

VaultTools · May 12, 2026

Black security camera mounted on a wall Photo by Bernard Hermant on Unsplash

Table of Contents


What Happened

On April 28, 2026, Vimeo disclosed a data breach affecting roughly 119,000 users. Have I Been Pwned ingested the dataset on May 5, 2026, confirming 119,200 unique email addresses. The extortion group ShinyHunters claimed responsibility and dumped 106 GB of stolen data after ransom negotiations collapsed.

How the Breach Worked

The attackers did not compromise Vimeo directly. They breached Anodot, a third-party analytics vendor used by Vimeo, and obtained authentication tokens for Vimeo’s Snowflake and BigQuery cloud environments. Those tokens were enough to read customer data sitting in the analytics pipeline. No software flaw was exploited on Vimeo’s side.

What Was Exposed

Vimeo confirmed the exposure of email addresses (sometimes accompanied by names), video titles, technical data, and metadata. The company stated that video content, valid login credentials, and payment card information were not affected. Even so, hundreds of gigabytes of customer related data left Vimeo’s perimeter through a vendor most users had never heard of.

The Supply Chain Lesson

Vimeo runs its own infrastructure with reasonable security controls. The data still leaked, because it had been copied into a third-party analytics platform. Any SaaS that handles user content, including online file converters, image editors, and PDF processors, exports user metadata to analytics, telemetry, and observability vendors by default. Every integration is another door.

Browser based tools that run on the user’s device close those doors structurally. No file leaves the machine, no metadata flows to a vendor, and no credentials gate access to a server because there is no server holding the data. The Vimeo breach is a reminder that the privacy of uploaded data depends not only on the vendor you chose, but on every vendor that vendor chose.


Sources