by: westont5

I&#x27;m not sure I&#x27;ve seen it mentioned yet that when Vercel rolled out their environment variable UI, there was no &quot;sensitive&quot; option <a href="https:&#x2F;&#x2F;github.com&#x2F;vercel&#x2F;vercel&#x2F;discussions&#x2F;4558#discussioncomment-3665817" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;vercel&#x2F;vercel&#x2F;discussions&#x2F;4558#discussion...</a>. There was ~2 years or more until it was introduced <a href="https:&#x2F;&#x2F;vercel.com&#x2F;changelog&#x2F;sensitive-environment-variables-are-now-available" rel="nofollow">https:&#x2F;&#x2F;vercel.com&#x2F;changelog&#x2F;sensitive-environment-variables...</a>

4/21/2026, 5:55:33 PM

by: _pdp_

&gt; OAuth trust relationship cascaded into a platform-wide exposure<p>&gt; The CEO publicly attributed the attacker&#x27;s unusual velocity to AI<p>&gt; questions about detection-to-disclosure latency in platform breaches<p>Typical! The main failures in my mind are:<p>1. A user account with far too much privileges - possible many others like them<p>2. No or limited 2FA or any form of ZeroTrust architecture<p>3. Bad cyber security hygiene

4/21/2026, 6:12:52 PM

by: datadrivenangel

&quot;Effective defense requires architectural change: treating OAuth apps as third‑party vendors, eliminating long‑lived platform secrets, and designing for the assumption of provider‑side compromise.&quot;<p>Designing for provider-side compromise is very hard because that&#x27;s the whole point of trust...

4/21/2026, 5:47:33 PM

by: saadn92

What bites people: rotating a vercel env variable doesn&#x27;t invalidate old deployments, because previous deploys keep running with the old credential until you redeploy or delete them. So if you rotated your keys after the bulletin but didn&#x27;t redeploy everything, then the compromised value is still live.<p>Also worth checking your Google Workspace OAuth authorizations. Admin Console &gt; Security &gt; API Controls &gt; Third-party app access. Guarantee there are apps in there you authorized for a demo two years ago that are still sitting with full email&#x2F;drive access.

4/21/2026, 5:55:35 PM

by: tom1337

I still don&#x27;t get how this exactly worked. Is the OAuth Token they talk about the one that you get when a user uses &quot;Sign in with Google&quot;? Aren&#x27;t they then bound to the client id and client secret of that specific Google App the user signed in to? How were the attackers able to go from that to a control plane? Because even if the attacker knows the users OAuth token, the client id and the client secret, they can access the Google Drive etc. (which is bad, I get that) but I simply do not understand how they could log in into any Vercel systems from that point. Did they find the credentials in the google drive?

4/21/2026, 6:15:27 PM

by: krooj

Interesting - I wonder if this isn&#x27;t a case of theft on a refresh token that was minted by a non-confidential 3LO flow w&#x2F;PKCE. That would explain how a leaked refresh token could then be used to obtain access, but does the Vercel A&#x2F;S not implement any refresh token reuse detection? i.e.: you see the same R&#x2F;T more than once, you nuke the entire session b&#x2F;c it&#x27;s assumed the R&#x2F;T was compromised.

4/21/2026, 6:26:28 PM

by:

4/21/2026, 6:11:01 PM

by:

4/21/2026, 6:12:08 PM

by:

4/21/2026, 6:11:36 PM

by:

4/21/2026, 5:17:57 PM

by: vaguemit

I recently went to BreachForums and the space was filled with this

4/21/2026, 5:28:39 PM

by: throwaway27448

Do any services use vercel?

4/21/2026, 5:45:57 PM

by: pphysch

Security-by-obfuscation is ridiculed but I&#x27;m a firm believer that preventing yourself from getting owned when someone is able to type 3 letters `env` is a worthy layer of defense. Even if those same secrets are unencrypted somewhere else on the same system, at least make them spend a bunch of time crawling through files and such.

4/21/2026, 5:41:29 PM

by: jdw64

[dead]

4/21/2026, 6:06:01 PM