Vimeo Confirms Third-Party Breach That Exposed 119,200 Email Addresses

Vimeo has confirmed a security incident linked to Anodot, a third-party analytics vendor, after user and customer data was accessed without authorization. The breach exposed 119,200 email addresses, according to Have I Been Pwned.

The incident did not come from Vimeo’s core platform, according to the company. Instead, Vimeo said the exposure happened because of a broader breach affecting Anodot, a vendor used by Vimeo and other companies.

The exposed data mainly included technical records, video titles, metadata, and some customer email addresses. Vimeo said the incident did not expose video content, valid login credentials, or payment card information.

What Vimeo said about the breach

Vimeo published its security notice on April 27, 2026. The company said an unauthorized actor accessed certain Vimeo user and customer data through the Anodot incident.

The company said the accessed databases primarily contained technical data, video titles, metadata, and customer email addresses in some cases. Vimeo also said its systems and services continued operating without disruption.

After learning of the incident, Vimeo disabled all Anodot credentials and removed the Anodot integration from its systems. It also hired third-party cybersecurity experts and notified law enforcement.

Detail	What is known
Company affected	Vimeo
Vendor involved	Anodot
Breach month	April 2026
Accounts added to HIBP	119,200
Data exposed	Email addresses and, in some cases, names
Not exposed	Video content, valid login credentials, and payment card information

ShinyHunters claimed responsibility

The ShinyHunters extortion group listed Vimeo on its leak site in April 2026 as part of a pay-or-leak campaign. The group later published stolen data after the ransom effort failed.

Have I Been Pwned said the leaked data mainly consisted of video titles, technical data, and metadata. It also contained 119,000 unique email addresses, sometimes with names attached.

BleepingComputer reported that ShinyHunters leaked a 106GB archive of stolen documents after Vimeo did not pay. The group claimed the data came through Anodot-linked access to cloud data environments.

Why the exposed email addresses matter

The breach did not expose passwords, but email addresses still carry risk. Attackers often use exposed emails and names to create convincing phishing messages that look like account alerts, invoices, copyright warnings, or video platform notifications.

Vimeo users should treat unexpected emails with extra caution, especially messages asking them to reset passwords, download files, check copyright claims, or sign in through a link.

Credential stuffing also remains a risk if users reuse passwords across services. Even though Vimeo said valid login credentials were not accessed, attackers may test exposed emails against password lists from unrelated breaches.

• Watch for fake Vimeo account alerts.
• Do not open unexpected attachments from unknown senders.
• Avoid signing in through links sent by email.
• Use a unique password for Vimeo and every other account.
• Enable two-factor authentication where available.
• Check whether the same email appears in older breaches.

The breach shows the risk of vendor access

This incident highlights a common problem in modern SaaS environments. A company can secure its own platform, but a vendor integration can still create a path to customer data.

Analytics vendors often need access to usage data, metadata, event logs, and customer identifiers. If those integrations expose more data than needed, a vendor breach can quickly become a customer data incident.

Companies using third-party analytics tools need strict data minimization, scoped credentials, short token lifetimes, audit logs, and fast revocation controls. Vendor access should never stay broader than the business need.

How the ShinyHunters campaign fits the bigger picture

Google Threat Intelligence has tracked an expansion of ShinyHunters-branded SaaS data theft operations in 2026. The activity focuses on cloud services, identity systems, and SaaS applications that hold business data.

Google said some campaigns use voice phishing and credential harvesting to get into corporate environments. Once inside, attackers target SaaS apps and cloud platforms to steal data for extortion.

The Vimeo incident fits that wider pattern because the claimed access involved a vendor and cloud data. It also shows why companies need to watch how third parties connect to Snowflake, BigQuery, analytics systems, and other business data platforms.

What Vimeo users should do now

Vimeo users do not need to change passwords because Vimeo said valid login credentials were not accessed. Still, changing a reused password is a good precaution if the same email and password were used elsewhere.

Users should also review account security settings and check for suspicious emails pretending to come from Vimeo, Anodot, copyright teams, payment systems, or video monetization services.

Businesses that use Vimeo should warn staff about phishing attempts. Teams should also review whether exposed email addresses belong to employees with access to admin panels, billing tools, marketing systems, or customer data.

Risk	Recommended action
Phishing emails	Open Vimeo directly in the browser instead of using email links
Password reuse	Change reused passwords on all affected accounts
Business account targeting	Warn employees and admins about fake Vimeo messages
Old breach exposure	Check whether the email appears in older leaks
Future account abuse	Use two-factor authentication and a password manager

FAQ