Vercel breach traced to Roblox cheats and OAuth overreach

My notes

Summary

Vercel suffered a breach traced back to a single employee at a third-party AI tool vendor (Context AI) who downloaded Roblox cheat scripts infected with credential-stealing malware. The stolen credentials enabled attackers to harvest OAuth tokens for Context AI customers, including a Vercel employee who had granted broad Google Workspace permissions. The breach exposed environment variables for all Vercel customers whose secrets were not explicitly marked sensitive.

Key Insight

• Attack chain length: 4 hops from game cheat download to multi-billion dollar hosting platform breach, each link being a trusted integration or permission
• The real vulnerability: OAuth “allow all” prompts. A single click by one employee at a vendor granted attackers a path into an enterprise Google Workspace and from there into internal systems
• Affected scope: stolen data being sold on hacker forums for $2 million; Vercel told all customers to rotate any environment variable not explicitly marked sensitive
• Response gap: Context AI detected the breach internally and contained it without public disclosure, so downstream companies had no chance to act until damage was done
• Second-order risk: every “Sign in with Google” or OAuth connection is a potential attack vector if that third-party vendor gets compromised, not just if your own systems do
• Remediation available now: Google account security settings list all connected third-party apps; unused connections can be revoked at any time