VIMEO confirmed a security breach linked to Anodot, with metadata, video titles and some user email addresses exposed, while user-uploaded videos, login credentials and payment card data were not affected and the service continued to operate normally. The incident was described as a third-party breach, with Anodot described as a vendor used by Vimeo and many other companies.
Attackers associated with the extortion group ShinyHunters claimed the breach and warned they would leak data by 30 April 2026 unless demands were met. They asserted access to Vimeo’s Snowflake and BigQuery environments and said they took more than 78.6 million records from Rockstar Games, though they have not confirmed the exact amount taken from Vimeo.
The disclosed activity involved stolen authentication tokens from Anodot used to access customer cloud environments to extract data, and Vimeo said it disabled Anodot credentials and removed the integration to stop further access, while law enforcement and external security experts assist in the investigation.