Vimeo Data Exposed in Anodot Supply Chain Attack

Vimeo, the global video hosting giant, announced it has been swept up in a security incident involving Anodot, a third-party analytics vendor. While Vimeo’s internal systems remain untouched, the breach underscores how even a “secondary” vendor can become a primary headache for major tech platforms.

The incident follows a wider pattern of activity by a threat actor currently being tracked by Google Threat Intelligence, who has claimed responsibility for the unauthorized access at Anodot.

Vimeo’s security team confirmed that an unauthorized actor managed to access specific segments of user and customer data through the Anodot breach. Based on the initial forensic cleanup, the exposed information appears to be largely operational and metadata-heavy.

According to the official disclosure, “Our initial findings suggest that the databases accessed primarily contain technical data, video titles and metadata, and, in some cases, customer email addresses”.

Crucially, Vimeo has drawn a hard line between the metadata handled by Anodot and the sensitive info stored on their own infrastructure. The company was quick to reassure its millions of creators and enterprise clients that their core assets and financial data remain secure.

• Video Content: No Vimeo video content was accessed during the breach.
• Login Credentials: Valid user login credentials remain secure and were not part of the data dump.
• Financial Data: Payment card information was not included in the affected databases.
• System Stability: The incident did not cause any disruption to Vimeo’s systems or daily services.

Upon identifying the connection to the Anodot breach, Vimeo’s security operations center (SOC) moved into a high-intensity containment phase. The company immediately severed ties with the vendor’s infrastructure, disabling all Anodot-related credentials and removing the integration from Vimeo’s internal systems.

Vimeo has also taken the traditional but necessary steps of engaging third-party security experts to verify their findings and notifying law enforcement agencies.

“Our investigation is ongoing, and we’ll continue to take appropriate measures as we learn more,” the company confirms.