← Blog

Vercel Got Breached. What's the Lesson For TPRM Teams?

Jonathan Mandell, Founder, Docubark · 2026

In April 2026, Vercel disclosed that an attacker accessed customer environments through a compromised third-party AI tool called Context.ai. The chain was almost mundane: a Context.ai employee downloaded a malicious Roblox script, got infected with Lumma Stealer, which exposed an OAuth token tied to their Google Workspace. From there, the attacker pivoted into a Vercel employee's account and read environment variables across some Vercel customer environments.

If Vercel is one of your vendors, here's how to think about it.

If you're a large enterprise using Vercel for critical activity

They're hot. Engineering teams love them. But a lot of things don't check the "stable" box:

  • Privately held — they don't share financials.
  • Less than $1B in revenue.
  • Not FedRAMP certified.
  • Not HITRUST certified.

That's not a disqualifier on its own, but it's a different risk profile than putting AWS or Azure behind the same workload. Certifications, maturity, and market scrutiny are signals — and those signals say Vercel is still building into its blast radius.

The point is not "don't use Vercel"

The point is that if you're using them for customer-facing activities, the math doesn't work in your favor. Run it through the framework:

  • Inherent risk: High. Customer data, brand exposure, regulatory implications.
  • Control effectiveness: Middle of the road. SOC 2 is in place, but the certification gaps and the recent breach pattern point to a vendor still maturing relative to its blast radius.
  • Residual risk: High enough to require executive approval — not a procurement rubber stamp.

If you're only using test data

Inherent risk drops considerably. Treat it accordingly. Don't waste cycles forcing internal tooling, marketing pages, or non-production workloads through the same gate as customer-facing systems.

The takeaway

The Vercel breach is a clean example of why "we use [hot vendor]" is the start of a risk conversation, not the end of it. Production vs. non-production matters more than the logo — and if a vendor's residual risk lands in the red, someone with real authority should be the one signing for it.

Book a Demo

Related reading