Vimeo Confirms 119,000 Emails Leaked in Anodot Vendor Hack

Vimeo confirmed on April 27, 2026 that an unauthorized actor pulled email addresses, video titles, and technical metadata for roughly 119,000 of its users out of a third-party analytics tool connected to its systems. The vendor was Anodot. The attacker was the ShinyHunters extortion crew. None of the data lifted included Vimeo videos, working passwords, or payment cards, and Vimeo says its own platform never went down.

The breach reached the public registry on May 5, when Have I Been Pwned added 119,167 unique email addresses, sometimes paired with names, to its searchable index. ShinyHunters had already published a 106GB archive after Vimeo declined to pay an extortion demand.

How The Vimeo Breach Surfaced

The ShinyHunters group listed Vimeo on its “pay or leak” portal in April 2026, part of a string of SaaS-vendor-led extortion attacks the gang has been running since the start of the year. The deadline came and went. The data went up.

Vimeo’s official Anodot incident notice attributes the leak to a third-party analytics vendor, not its own infrastructure. The company says login credentials remain valid and no service disruption hit its hosting platform.

Eight days later, breach-notification service Have I Been Pwned added the dump to its public index on May 5, 2026. The HIBP entry pegs the affected count at 119,167 and lists the exposed data classes as email addresses and names.

The Anodot Pipeline That Burst

Anodot is an Israeli AI analytics firm whose product watches business metrics for unusual swings in revenue, transactions, or system performance. Vimeo plugged it in as an anomaly-detection layer over its Snowflake data warehouse. So did dozens of other companies, several of them very large.

To do that work, Anodot held authentication credentials inside customer cloud accounts. Snowflake confirmed in early April that those tokens were the entry point for a broad data-theft campaign. ShinyHunters extracted the OAuth tokens, walked through them, and pulled out customer data sets one by one.

For Vimeo, the databases reached through that integration carried the platform’s day-to-day analytics signals. Per Vimeo’s own disclosure, the records included:

• Technical data and video metadata
• Video titles
• Customer email addresses, in some cases paired with display names

Once the breach surfaced internally, Vimeo killed every Anodot credential, severed the integration, and brought in outside forensic responders. Law enforcement has been notified.

What Sat Inside The 106GB Dump

ShinyHunters dropped a 106GB archive of Vimeo material on its leak site after extortion talks collapsed. The bulk of the contents are technical: tables of video metadata, performance counters, internal monitoring rows. The personal data sits in a smaller slice of those records, where customer email accounts are tied to display names.

The numbers tell their own story:

• 119,167 unique email addresses indexed by Have I Been Pwned
• 106 GB total archive size published on the ShinyHunters leak portal
• 0 Vimeo passwords, payment cards, or video files in the dump, per the company’s disclosure
• April 27, 2026 the official notification date from Vimeo

Why ShinyHunters Hit Vendors, Not Vimeo

Direct attacks on hardened consumer platforms are slow, loud, and expensive. SaaS analytics vendors sit one tier removed from the brand and often hold credentials reaching directly into customer data warehouses. One break-in, dozens of payouts.

That model has carried ShinyHunters through the first half of 2026. Google Threat Intelligence Group’s tracking write-up on the campaign maps the activity across three named clusters, UNC6661, UNC6671 and UNC6240, and warns the operators are still expanding scope.

We are seeing a fundamental shift in how data extortion groups operate.

That assessment came from Sandra Joyce, Vice President of Mandiant Intelligence at Google Cloud, in the company’s analyst summary of the wave. The shift hits where it counts: vendors with fewer SOC analysts hold more keys to more vaults than the brands they serve.

The crew’s reach is broad but not unlimited. Attempts to lateral-move into Salesforce environments through stolen tokens have been detected and blocked, according to RH-ISAC’s active campaign bulletin. The data warehouse pulls have continued anyway.

For defenders, the lesson written on every disclosure since 2024’s earlier Snowflake-customer wave is the same: third-party tokens with persistent access need the same auditing tempo as employee credentials. Most companies still don’t run them that way. Mandiant’s proactive defense advisory walks through the token rotation and SaaS audit steps the campaign keeps exposing.

The Other Names On The Same Token Trail

Vimeo is not the headline in this campaign. Rockstar Games confirmed on April 11 that ShinyHunters had pulled 7.54 GB of internal analytics from its Snowflake instance, including game-economy data for GTA Online and Red Dead Online. The studio refused to pay. The dump landed on April 15.

Rockstar said no player credentials, no account data, and no GTA VI assets were inside the leaked files. The same playbook hit a string of consumer and finance brands in adjacent weeks.

Each of those companies had Anodot connected to a Snowflake data warehouse. Each lost customer-side records sitting inside those warehouses. None of them describe a breach of their own perimeter.

Steps For Affected Vimeo Users

Vimeo has not committed to direct user notification beyond its blog post. That puts the burden of action on people who used the service.

The basics matter more than they look:

1. Run your email address through Have I Been Pwned to confirm whether your account sits inside the indexed dump.
2. Treat any Vimeo-themed message arriving over the next 90 days as suspicious by default. Email-plus-name pairings power convincing phishing.
3. If your Vimeo password also lives on other sites, change those copies first. The dump does not contain passwords, but threat actors will probe known reused logins.
4. Turn on two-factor authentication inside Vimeo account settings. The company’s session credentials remain valid, which means MFA is the next gate.
5. Watch for video-takedown or copyright-claim spoofs. Names plus video titles let attackers craft believable fake notices.

The risk profile here is phishing more than account takeover. Email lists this large, scraped clean and tied to creator names, sell well on infostealer markets and fuel targeted spear-phishing for months after the original dump.

For business and Pro Vimeo customers, the operational task is heavier. Audit any analytics, monitoring, or BI integration running against your warehouse today. Confirm what tokens those tools hold. Rotate them on a cycle short enough to make stolen tokens worthless.

Frequently Asked Questions

Was My Vimeo Password Stolen In This Breach?

No. Vimeo’s disclosure says the data taken does not include valid login credentials or payment card information. The exposed records are email addresses, names in some cases, video titles, and platform metadata. You do not need to reset your Vimeo password because of this incident, though changing it never hurts. Existing sessions remain active per the company’s notice.

How Do I Check If My Email Is In The Leaked Dataset?

Search your email at haveibeenpwned.com. The breach was added on May 5, 2026 and is labelled “Vimeo.” If the result page returns the Vimeo entry, your address sits inside the indexed 119,167 records. The site is run by Australian security researcher Troy Hunt and is the standard reference enterprise security teams use for breach lookups.

Will Vimeo Email Me Directly If I Was Affected?

Maybe. Vimeo’s April 27 disclosure committed to providing further updates as the investigation continues but did not promise individual notification. State and regional breach laws may force direct notice for users in jurisdictions like California or the EU. Don’t wait on it. Run the HIBP check yourself today and rotate any reused passwords while you’re there.

Are My Uploaded Videos At Risk?

No. Vimeo confirmed that video content was not accessed in the breach. The data sat in analytics databases, not in the storage layer that holds actual video files. Private videos and password-protected uploads remain inaccessible to the attackers based on the disclosure. The exposed metadata covers titles and technical fields only, not playback content.

What Is Anodot And Why Did Vimeo Use It?

Anodot is an Israeli AI analytics company whose machine-learning product flags unusual changes in revenue, transactions, and system metrics. Vimeo plugged it in as an anomaly-detection layer over its Snowflake data warehouse. Anodot held authentication tokens inside that warehouse, and ShinyHunters stole those tokens to access connected customer data without ever touching Vimeo’s own perimeter.

The Vimeo dump is the latest data point in a story that started at Anodot, not at Vimeo. Until vendor token hygiene catches up to user credential hygiene, the chain will keep producing 100,000-record Tuesdays. The next name on the leak site will arrive before the previous one finishes its breach response.

Disclaimer: This article reports on a publicly disclosed data breach and outlines general protective steps for affected users. The information provided is for general awareness only and does not replace individual incident response guidance. Affected Vimeo customers and business administrators should consult their own security team or a qualified responder before applying any change to production systems. Specific figures and remediation details are accurate as of May 6, 2026 and may evolve as the investigation continues.