Vimeo Breach: 119K Emails & Names Exposed (2026)
In April 2026, the ShinyHunters extortion group listed Vimeo on their extortion portal as part of their "pay or leak" campaign . They subsequently published hundreds of gigabytes of data, predominantly consisting of video titles, technical data and metadata. The data also included 119k unique email ...
Overview
In April 2026, the ShinyHunters extortion group claimed a breach of Vimeo on their “pay or leak” portal. After a failed extortion attempt, they published hundreds of gigabytes of data. While the bulk of the leaked data consisted of video titles, technical metadata, and system logs, the breach also included 119,167 unique email addresses, often paired with user names. Vimeo attributed the exposure to a compromise of Anodot, a third-party analytics vendor they used, and confirmed that no video content, login credentials, or payment card data was compromised. The incident has been reported to Have I Been Pwned, making it easy for users to verify their exposure.
What Was Exposed
The leaked data includes the following categories:
- Email Addresses – 119,167 unique accounts.
- Names – Often associated with the email addresses, but not always.
- Video Titles & Metadata – A large cache of video titles, descriptions, and internal metadata used by Vimeo’s platform.
Importantly, Vimeo explicitly stated that no valid user login credentials (like hashed passwords) or payment card information were included in the release. This means the breach is limited to personally identifiable information (PII) that can be used for social engineering or phishing.
Potential Impact
This breach carries a MEDIUM severity rating, primarily because the exposed data is relatively low-sensitivity but still exploitable in targeted campaigns. The key risks include:
- Phishing Attacks – Scammers can craft convincing emails using your name and Vimeo context, asking you to reset passwords or click malicious links.
- Account Targeting – With your email address, attackers may attempt to brute-force your Vimeo password or use it in credential-stuffing attacks if you reuse passwords elsewhere.
- Reputation Damage – Leaked video titles and metadata could reveal sensitive or embarrassing content about creators or businesses.
- Spam Increase – Your email address may be added to spam lists.
Because no passwords or financial data were exposed, the risk of direct account takeover or financial loss is low, but the potential for phishing remains significant.
Recommendations
If you are a Vimeo user, take these steps to mitigate risks:
- Be Alert for Phishing Emails – Watch for suspicious emails claiming to be from Vimeo. Do not click links or download attachments without verifying the sender.
- Enable Two-Factor Authentication (2FA) – Even though passwords were not exposed, adding 2FA to your Vimeo account adds a critical layer of protection.
- Use Unique Passwords – If you reuse your Vimeo password elsewhere, change it immediately. Use a password manager to generate strong, unique credentials.
- Monitor for Credential-Stuffing Attempts – Check your Vimeo account for any unauthorized login activity or changes to profile settings.
- Review Connected Services – If you linked other accounts (like Slack or YouTube) to Vimeo, verify those connections are still legitimate.
How to Check If You’re Affected
You can check if your email address was included in this breach by visiting Have I Been Pwned. Enter the email address you used for Vimeo. If it appears, the breach includes your email and possibly your name. Even if your email is not listed, remain cautious as the leaked dataset may be redistributed.
Security Insight
This breach underscores a critical vulnerability in vendor supply chains: Vimeo’s reliance on Anodot for analytics introduced a point of failure that exposed user data. It mirrors similar incidents like the 2022 LastPass breach, where a third-party compromise led to encrypted password vaults being stolen. The lesson is clear - companies must vet vendors for security practices and limit data shared with them to what is strictly necessary. Vimeo’s prompt disclosure and clear explanation of what was (and was not) exposed is a positive step, but the incident highlights that no service is immune to supply chain attacks.
Further Reading
Investigate Breaches Safely with NordVPN
Researching exposed data, paste sites, or threat actor infrastructure? Route your OSINT traffic through a VPN to avoid attribution and keep your investigation IP separate from your corporate network.
Get NordVPN for ResearchAffiliate link — we may earn a commission at no extra cost to you.
Never miss a data breach report
Get real-time security alerts delivered to your preferred platform.
Related Breach Reports
In March 2026, the NSFW AI companion platform Cuties AI suffered a data breach that was subsequently published to a public hacking forum . The incident exposed 144k unique email addresses along with display names, avatars, prompts and descriptions used to generate AI adult images, as well as URLs to...
In March 2026, the League of Legends custom skins service Divine Skins suffered a data breach . The incident was disclosed via the service's Discord server, where Divine Skins stated that an unauthorised third party accessed part of its systems, deleted all skins from the database and exposed email ...
In early 2026, data purportedly sourced from the recipe and meal planning service Provecho was alleged to have been obtained in a breach. The exposed data included 713k unique email address along with username and the creator account holders followed. Provecho has been notified and is aware of the c...
In February 2026, the couples and relationship app Lovora allegedly suffered a data breach that exposed 496k unique email addresses. The data also included users’ display names and profile photos, along with other personal information collected through use of the app. The app’s maker, Plantake, did ...