The Vercel breach: OAuth attack exposes risk in platform environment variables

· security · Source ↗

Article

TL;DR

Roblox exploit script infected Context.ai employee, cascading to Vercel customer env vars via OAuth.

Key Takeaways

  • Attacker had access for ~22 months before detection — February 2026 disclosure.
  • Rotating env vars without redeploying leaves old credentials live in existing deploys.
  • One employee granted a third-party AI tool full Google Workspace access — root cause.

Discussion

Top comments:

  • [pdp]: Real failures: overprivileged accounts, no zero-trust, poor 2FA hygiene
  • [saadn92]: Rotating env vars without redeploying leaves compromised values live in old deploys
  • [pier25]: Headline blames env vars but real issue is Google Workspace → production access

    By far the biggest issue is being able to access the production environment of millions of customers from a Google Workspace. Only a handful of Vercel employees should be able to do that with 2FA if not 3FA.

  • [semiquaver]: Breach sat undetected 22 months — deeply bad security posture signal for Vercel
  • [LudwigNagasena]: Single employee granted AI tool full Google Workspace access voluntarily

Discuss on HN