Cloud development platform Vercel has confirmed a security incident following claims by threat actors that they have breached its systems and are attempting to sell stolen data. Vercel, widely known for developing the Next.js framework and providing serverless functions, edge computing, and CI/CD pipelines, disclosed in a security bulletin that a limited subset of customers was affected by unauthorized access to certain internal systems. The company stated it is actively investigating the breach and has engaged incident response experts to assist with remediation. Law enforcement has also been notified, and the company promised to provide further updates as the investigation progresses. While Vercel confirmed that its core services remain operational and unimpacted, it is working directly with affected customers to mitigate risks. The company advised users to review their environment variables, utilize its sensitive environment variable feature, and rotate any secrets if necessary. The disclosure follows an announcement by a threat actor claiming to be part of the ShinyHunters group on a hacking forum. This individual asserted they had stolen access keys, source code, database data, internal deployment access, and API keys. As proof of the breach, the attacker shared a screenshot of an internal Vercel Enterprise dashboard and a text file containing 580 employee records. These records reportedly included names, email addresses, account status, and activity timestamps. The attacker also claimed to have obtained NPM tokens and GitHub tokens, along with access to multiple employee accounts. It is worth noting that while the attacker claimed affiliation with ShinyHunters, groups recently linked to similar extortion attacks have denied involvement in this specific incident to media outlets. BleepingComputer, which reported on the incident, stated it has not been able to independently verify the authenticity of the leaked data or screenshots. In additional communications shared on Telegram, the threat actor claimed to be in contact with Vercel regarding the incident. They alleged that a ransom demand of $2 million was discussed. The attacker expressed willingness to provide further access to employee accounts and internal systems in exchange for payment. Vercel has not publicly confirmed any ransom negotiations. When contacted for comment, Vercel did not explicitly confirm whether sensitive data or credentials were fully exposed beyond the internal access initially reported, nor did they confirm active negotiations with the attackers. The company emphasized its ongoing efforts to protect its user base and promised to update the situation as more information becomes available. The incident underscores the ongoing cybersecurity challenges facing cloud infrastructure providers and highlights the importance of robust secret management practices for developers using these platforms.