Vercel Breach Reveals How an AI Tool Compromised Env Vars and Led to Data Leak

Vercel announced a security incident, confirming that an unauthorized party accessed parts of its internal systems and affected a small number of customers.

The attack began with the compromise of a third‑party AI tool called Context.ai . An employee had granted this tool OAuth access to their Google Workspace account. The attackers used the stolen OAuth permissions to take over the employee’s Google Workspace account, which then allowed them to infiltrate Vercel’s internal environment.

Vercel publicly disclosed the compromised OAuth client ID:

110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com

and advised Google Workspace administrators to check whether any employee has authorized this app and to revoke the access immediately.

This attack chain highlights a broader risk: many AI agents request extensive Google Workspace OAuth scopes to manage email, documents, and calendars. Users often grant these permissions without considering that a breach of the AI service could turn it into a pivot point for further attacks.

After entering Vercel’s systems, the attackers accessed environment variables that were not marked as “sensitive.” Vercel’s platform distinguishes between normal variables, which can be read, and sensitive variables, which are encrypted and designed to be unreadable. In this incident, no evidence was found that sensitive variables were accessed, but the ordinary variables were exposed.

The exposure is critical because developers frequently store API keys, database passwords, and third‑party tokens in normal environment variables. Once these credentials are obtained, attackers can directly access the associated services.

Claims that the leaked data was sold on underground forums for $200 have circulated in technical communities, but Vercel’s official statement did not confirm any specific price. The company did confirm that a subset of customers received notification emails about possible credential leakage, while other accounts showed no abnormal activity.

Vercel provided a remediation checklist for all users, regardless of impact:

Review the Vercel dashboard’s account activity logs for unfamiliar actions.

Rotate all normal environment variables, especially API keys, tokens, and database credentials.

Mark newly added sensitive values with the “Sensitive” flag and avoid storing them in plain text.

Inspect recent deployment records for unexpected deployments.

Set Deployment Protection to at least the Standard level.

Rotate the current Deployment Protection token.

For administrators, search the Google Workspace admin console for the compromised OAuth App ID, revoke any authorizations, and require the affected employee to change passwords and reset two‑factor authentication.

The incident serves as a warning as AI tools, agents, and assistants increasingly request access to code repositories, email accounts, and cloud services. Even leading companies like Vercel can be compromised through a seemingly minor third‑party AI integration, underscoring the need for formal security governance around AI tool usage.

Developers should scrutinize the permissions requested by AI tools, evaluate the trustworthiness of the provider, and implement regular audits of granted access. Enterprises should incorporate AI‑tool usage into their security policies, enforce centralized OAuth approvals, conduct periodic credential clean‑ups, and mandate encryption for all sensitive secrets.