Vimeo Data Breach Exposes 119,000 Users' Personal Information

The ShinyHunters extortion group has claimed responsibility for a significant data breach at Vimeo, the popular online video platform owned by IAC. Security researchers first identified the compromise in April 2024 when the threat actors began selling the stolen database on dark web forums. According to data breach notification service Have I Been Pwned, the breach affected approximately 119,000 individuals whose personal information was exposed, including names, email addresses, and encrypted passwords. Vimeo confirmed the breach and began notifying affected users in accordance with state data breach notification laws.

The compromised data reportedly includes a database extract containing user profile information, partial payment card data, and authentication credentials. ShinyHunters, a well-known threat actor group responsible for previous breaches at AT&T and Microsoft, utilized sophisticated social engineering techniques to gain initial access to Vimeo's internal systems. Security analysts believe the attackers exploited a misconfigured API endpoint that allowed unauthorized database access. The stolen data was subsequently posted for sale on the BreachForums marketplace, with asking prices reported in the tens of thousands of dollars.

Vimeo has engaged third-party forensic investigators from Mandiant to determine the full scope of the breach and has implemented additional security controls, including enhanced monitoring and mandatory password resets for affected accounts. The company's legal team is coordinating with regulatory bodies, including the New York Attorney General's office and the European Data Protection Board, given the presence of EU residents in the compromised dataset. Security experts recommend that affected users monitor their accounts for suspicious activity, change passwords immediately, and enable multi-factor authentication to mitigate potential identity theft or credential stuffing attacks.

This incident underscores the escalating threat posed by organized cybercrime groups targeting video streaming and content platforms. The ShinyHunters operation exemplifies a trend where threat actors combine data theft with extortion tactics, demanding payment in exchange for destruction of stolen information or threatening public disclosure. Organizations handling similar volumes of user data should review their API security configurations, implement least-privilege access controls, and maintain regular security audits to prevent similar breaches.