Back
Vercel Internal Data Allegedly Offered for Sale for $2 Million

Vercel Internal Data Allegedly Offered for Sale for $2 Million

According to Orca, it rotated potentially exposed keys and deployment credentials after the Vercel incident, while stating that its front end was affected but its onchain protocol and user funds were not.

Fact Check
The strongest validated evidence is the BleepingComputer report, which directly states that Vercel disclosed unauthorized access to certain internal systems and that threat actors were attempting to sell allegedly stolen data, including credentials/API keys and source code, with Telegram messages mentioning an alleged $2 million demand. This supports the core of the statement about unauthorized internal access and a BreachForums-style sale offer. Search results also corroborate that Vercel published an official incident bulletin titled 'Vercel April 2026 security incident', though I could not fetch that page successfully in this run. For the more specific social-media framing, the Odaily article was successfully traced to the X post by im23pds, which supports that 23pds was part of the dissemination chain, but the actual text of that post could not be validated because X fetches failed. Therefore, the overall claim is likely true in substance, but some details remain only partially corroborated in this run.
    Reference12
Summary

Vercel previously confirmed that unauthorized access to parts of its internal systems stemmed from a third-party AI tool’s OAuth compromise, creating a risk that API keys and credentials for some hosted crypto and DeFi front ends may have been exposed. Orca has now said it rotated all potentially exposed keys and deployment credentials following the incident. According to the team, Orca’s front end is hosted on Vercel, but its onchain protocol and user funds were not affected, and it will continue monitoring the situation and provide updates.

Terms & Concepts
  • OAuth: An authorization framework that allows third-party applications to access services or accounts without requiring users to share passwords directly.
  • DeFi: Short for decentralized finance, a blockchain-based ecosystem of financial applications that operate without traditional intermediaries.
  • onchain: A term describing activity or systems that operate directly on a blockchain, where transactions and protocol logic are recorded on the network.