Vimeo — third-party Anodot compromise, ShinyHunters dump

On 5 May 2026 the breach-notification service Have I Been Pwned listed a Vimeo dataset and the following day Vimeo publicly confirmed the incident. Approximately 119,000 user email addresses were exposed, alongside technical metadata and video titles. The company has stated that no actual video content, valid login credentials or payment-card data were involved.

Vimeo attributed the compromise to a third party rather than a direct intrusion: Anodot, a SaaS analytics provider used across Vimeo’s stack, was breached and the attacker pivoted into Vimeo data via that integration. ShinyHunters, claiming the attack, alleged that “Snowflake and BigQuery instances data was compromised thanks to Anodot.com” — placing the breach in the same architectural lineage as the broader 2024 Snowflake-tenant attacks, where customer data sits in shared cloud-warehouse instances accessed through SaaS vendors. After Vimeo declined to negotiate, ShinyHunters dumped a 106 GB archive on its leak site.

Vimeo’s response was to disable Anodot’s credentials, remove the integration, bring in external forensic support, and notify law enforcement. The incident sits within a wider pattern that now stretches from the Salesloft/Drift OAuth campaign of August 2025 through Wynn, Pitney Bowes, Carnival, Vercel, Medtronic and Instructure in spring 2026.

A deep-dive will follow once Anodot publishes a primary disclosure of the upstream compromise and the precise data taxonomy stolen from Vimeo is corroborated. The early defender lens is the SaaS-analytics third-party-risk question: many enterprises let analytics vendors ingest production data into shared warehouse tenants without per-customer key isolation, and Anodot is the second-order victim chain attackers reach for once first-order targets harden.