The Vimeo breach and the dangers of delegated trust – TechRadar

At the end of April, Vimeo, the second-largest video hosting, sharing, and streaming service after YouTube, publicly confirmed it had suffered a data breach affecting around 119,000 users and customers. As is often the case, however, the devil is in the details. ShinyHunters, the ransomware group that claimed responsibility, threatened to release Vimeo data on the dark web after breaching the defenses of Anodot, an analytics company that provides real-time anomaly detection. Anodot’s product requires direct access to its customers’ cloud data sources, such as Snowflake, BigQuery, S3, and Kinesis, to monitor metrics at the data source level. On April 4, Anodot reported a broad outage when its data collectors went down across Snowflake, S3, and Kinesis. What initially appeared to be an availability incident turned out to be an active intrusion, and ShinyHunters were already inside Anodot’s environment and, by their own claim, had been there long enough to map the connected customer environments. They exfiltrated OAuth tokens and API keys that Anodot used to read its customers’ clouds, then logged directly into those customer clouds. The knock-on effect was felt by dozens of companies, including Rockstar Games, with ShinyHunters claiming to have exposed the company’s internal analytics and
Read More