Back
Vercel Internal Data Allegedly Offered for Sale for $2 Million

Vercel Internal Data Allegedly Offered for Sale for $2 Million

According to Vercel’s official announcement, unauthorized access to internal systems was linked to a third-party AI tool’s OAuth compromise, raising concerns over possible API key and credential exposure for crypto and DeFi front ends hosted on Vercel.

Fact Check
The strongest validated evidence is the BleepingComputer report, which directly states that Vercel disclosed unauthorized access to certain internal systems and that threat actors were attempting to sell allegedly stolen data, including credentials/API keys and source code, with Telegram messages mentioning an alleged $2 million demand. This supports the core of the statement about unauthorized internal access and a BreachForums-style sale offer. Search results also corroborate that Vercel published an official incident bulletin titled 'Vercel April 2026 security incident', though I could not fetch that page successfully in this run. For the more specific social-media framing, the Odaily article was successfully traced to the X post by im23pds, which supports that 23pds was part of the dissemination chain, but the actual text of that post could not be validated because X fetches failed. Therefore, the overall claim is likely true in substance, but some details remain only partially corroborated in this run.
    Reference12
Summary

Vercel confirmed in an official announcement on the 19th that unauthorized access to its internal systems resulted from the compromise of a third-party AI tool through OAuth. The company said the incident created risks that API keys and credentials could be exposed, including for crypto and DeFi front ends hosted on Vercel. This adds confirmed cause and impact context to earlier external claims that alleged Vercel internal data was being offered for sale for $2 million, claims whose full scope remains unverified by the company.

Terms & Concepts
  • OAuth: An authorization framework that lets users grant third-party applications limited access to accounts or services without sharing passwords directly.
  • API key: A credential used to authenticate and authorize access to an application programming interface or connected service.
  • DeFi: Short for decentralized finance, a blockchain-based ecosystem of financial applications that operate without traditional intermediaries.