Vercel Security Incident Linked to Context.ai Breach

In a significant cybersecurity development, Vercel has confirmed a security incident involving unauthorized access to parts of its internal systems. The company has linked the breach to a compromise at third-party AI provider Context.ai, highlighting growing risks within modern SaaS and AI-driven ecosystems.

According to Vercel, the incident began when an attacker successfully compromised Context.ai, an external AI tool used by one of its employees. Notably, the employee had integrated the tool with their enterprise Google Workspace account. As a result, the attacker leveraged this integration to take control of the employee’s identity within Google Workspace.

Subsequently, the attacker gained access to certain Vercel environments and environment variables. However, the company clarified that only variables not marked as “sensitive” were exposed. Moreover, Vercel emphasized that sensitive environment variables are encrypted and cannot be viewed in plain text. At this stage, the company has found no evidence indicating that sensitive data was accessed.

To strengthen its response, Vercel has engaged leading cybersecurity firm Mandiant, along with other security experts, industry partners, and law enforcement agencies. Additionally, the company has reached out to Context.ai as part of the ongoing investigation.

Importantly, the breach impacted only a limited number of Vercel customers whose credentials may have been compromised. Vercel has already notified affected users and strongly advised them to rotate credentials and secure any secrets stored in non-sensitive environment variables.

Meanwhile, the company continues to investigate whether any data exfiltration occurred. It has also released indicators of compromise tied to the Google Workspace OAuth application associated with Context.ai. Furthermore, administrators have been urged to review their systems and identify any suspicious integrations.

This incident has intensified concerns surrounding OAuth-based integrations and third-party SaaS dependencies. Security experts warn that such connections often operate beyond traditional monitoring frameworks, creating hidden vulnerabilities within enterprise environments.

Cory Michal, chief information security officer at AppOmni, said the incident fits a pattern security teams increasingly recognise in cloud and SaaS environments.

“What’s most noteworthy about this attack is that it appears to have started as a SaaS integration supply-chain compromise and then cascaded into the takeover of a trusted Vercel user and access to internal systems.”

“According to Vercel, the attacker first compromised a third-party AI tool, then used that access to take over an employee’s Google Workspace account and pivot into Vercel environments. That reflects a growing attacker playbook: abusing trusted SaaS integrations and identity connections to move from one app into a much larger enterprise environment.”

“The bigger issue is the growing risk posed by OAuth tokens and the often invisible web of third-party SaaS integrations connected to core business platforms. Once a user authorises one app, that trust can extend into email, identity, CRM, development and other systems in ways many organisations do not fully inventory or monitor, making a single compromised integration a powerful pivot point.”

“That risk is no longer theoretical. Vercel says this incident began with a compromised third-party AI tool, and Google Threat Intelligence has separately warned about widespread campaigns abusing stolen OAuth tokens tied to third-party SaaS integrations to access downstream environments and harvest sensitive data. That underscores how often this attack path is now being exploited.”

“The key lesson is that third-party risk management cannot stop at reviewing a vendor’s SOC 2 report or penetration test results. Organisations need continuous visibility into how third-party applications are connected across their SaaS estate, what OAuth grants and integration tokens they hold, and how those relationships could be abused if one provider is compromised.”

“Just as important, companies need strong log collection and analysis across these platforms so they can detect suspicious activity quickly and understand how an attacker may be moving through interconnected SaaS environments,” Michal said.

In parallel, experts have pointed out that the rapid adoption of AI tools is expanding the attack surface. These tools often integrate deeply into enterprise systems, sometimes without full visibility from security teams.

Yagub Rahimov, Founder at Polygraf AI, emphasized the severity of such overlooked integrations.

“One employee. One AI app. ‘Allow All.’ That’s how Vercel got breached.”

“The employee signed up for Context AI’s app using their enterprise account and granted broad Google Workspace permissions. When that OAuth token was stolen, the attacker did not need credentials or need to bypass MFA. They simply used a valid token exactly as it was permitted to be used.”

“The Salesloft-Drift breach in late 2025 worked the same way: attackers stole OAuth tokens from an integration provider and used trusted connections to move straight into hundreds of customer environments without triggering a single login alert.”

“The technical problem is that OAuth tokens granted to third-party apps fall outside most organisations’ detection scope. They do not appear in login logs. They do not trigger MFA prompts. Context AI was compromised a month before anyone at Vercel knew there was a problem, and CrowdStrike apparently did not flag the OAuth tokens as part of their investigation scope.”

“The token just kept working silently, with whatever permissions the employee gave it on day one. It’s the same problem we see all the time at Polygraf AI: AI tools quietly holding OAuth access to corporate accounts that nobody is watching. The breach surface is not your perimeter anymore. It’s every OAuth grant your employees ever clicked through,” Rahimov said.

Despite the incident, Vercel confirmed that its services remain fully operational. The company has since implemented enhanced monitoring and additional security controls across its infrastructure. It has also urged customers to review account activity logs, audit integrations, and rotate any exposed credentials.

Recommended Cyber Technology News:

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com

🔒 Login or Register to continue reading

Tags: AI security, Context.ai, data exposure, OAuth attack, SaaS risk, Vercel

CyberTech Media Room

CyberTech Media Room is the editorial intelligence arm of CyberTech Insights, focused on delivering high-impact narratives at the intersection of cybersecurity, data infrastructure, AI systems, and enterprise risk. Built for decision-makers, analysts, and technology leaders, the CyberTech Media Room translates complex security developments into structured, actionable intelligence. Its coverage spans threat landscapes, regulatory shifts, cyber resilience frameworks, and emerging technologies shaping modern enterprise defense. The editorial approach is grounded in three principles: Signal over noise — prioritizing relevance, depth, and strategic clarity over volume Intelligence-led storytelling — combining data, expert perspectives, and market context Decision utility — ensuring every piece contributes to informed business or technology outcomes CyberTech Media Room collaborates with industry practitioners, researchers, and enterprise leaders to surface insights that matter—from boardroom-level risk considerations to operational security strategies. Positioned beyond traditional media, it operates as a strategic intelligence layer for organizations navigating an increasingly complex and adversarial digital environment.