ShinyHunters Leak Exposes 119,000 Vimeo User Emails Following Third-Party Breach
A data breach involving third-party analytics provider Anodot has resulted in the exposure of over 119,000 Vimeo user email addresses, according to data confirmed by the breach notification service Have I Been Pwned.

The data breach originated from a security failure at Anodot, a third-party analytics provider utilized by Vimeo. According to Vimeo, the attackers gained unauthorized access to their systems by exploiting the integration with Anodot rather than breaching Vimeo’s own internal infrastructure directly. Anodot’s status page indicates that the incident began on April 4, 2026 The Register.
The threat actor group known as ShinyHunters claimed responsibility for the incident, asserting that they compromised Snowflake and BigQuery instances through the Anodot connection. The group had previously placed Vimeo on its "pay or leak" list, threatening to release stolen data unless a ransom demand was met. After failing to reach an agreement with the company, the attackers proceeded to leak the stolen information The Register.
While Vimeo has confirmed the breach, the company initially declined to specify the number of affected users. However, the breach notification service Have I Been Pwned has since identified at least 119,000 unique email addresses exposed in the dump, some of which were associated with user names The Register.
Vimeo has publicly stated that the stolen databases primarily contained technical data, video metadata, and video titles, alongside the exposed email addresses. The company emphasized that the breach did not result in the exposure of actual video content, valid login credentials, or payment card information. Despite these assurances, security experts warn that such data remains valuable for malicious actors, as email lists are frequently repurposed for long-term, targeted phishing campaigns The Register.
In response to the incident, Vimeo has taken steps to secure its environment by disabling all Anodot credentials and removing the third-party integration entirely. The company has engaged external security experts to assist with the ongoing investigation and has notified law enforcement authorities. Anodot has not issued a public statement regarding the breach The Register.
This incident highlights the persistent risks associated with supply chain dependencies in modern enterprise environments. Even when an organization maintains robust internal security, the reliance on third-party vendors creates an expanded attack surface where a single failure at a partner firm can lead to significant data exposure. The event serves as a reminder of the necessity for rigorous third-party risk management and the continuous monitoring of vendor integrations The Register.