May 08, 2026 · 9 min read

ShinyHunters Just Dumped 119,000 Vimeo Users' Emails Through the Same Anodot Pipeline That Hit Rockstar Games

Vimeo refused to pay the extortion. Two days later ShinyHunters posted a 106GB archive on its leak site—the second wave of the same breach that took down Snowflake customers in April.

Laptop with a video streaming interface connected by a glowing blue data pipeline to a darkened server rack, with a small red breach indicator on the cable

What Happened

On May 5, 2026, Vimeo confirmed that hackers stole personal information from approximately 119,000 of its users in April 2026. Have I Been Pwned added the leaked dataset to its database the same day, exposing 119,200 unique email addresses.

Vimeo did not get breached directly. The attackers came in through Anodot, a third party data analytics company integrated into Vimeo's pipeline. Once Vimeo's negotiations with ShinyHunters fell apart, the gang published a 106GB archive of stolen documents on its dark web leak site. ShinyHunters' note read: "The company failed to reach an agreement with us despite our incredible patience, all the chances and offers we made."

This is not the first organization compromised through Anodot. The same actor used the same access path to raid more than a dozen Snowflake customers in early April, including Rockstar Games. Vimeo is the most public victim from the second wave.

How the Attack Worked

Anodot is an AI driven anomaly detection platform that watches business metrics in cloud data warehouses. To do that job, it needs a long lived authentication token into every customer's environment—Snowflake, BigQuery, and similar back ends. Those tokens look like any other internal connection from a trusted partner.

ShinyHunters compromised Anodot, harvested those tokens, and then used them to log into customer environments as Anodot itself. According to Rescana's analysis, the attacker accessed both Vimeo's Snowflake and BigQuery instances. There was no Snowflake vulnerability. There was no Vimeo vulnerability. The trust relationship between Vimeo and Anodot was the attack surface.

When the queries went out, they looked normal. Analytics tools query large volumes of data by design—pulling in user records, video metadata, and usage telemetry. The attackers ran the same kinds of queries Anodot would run, only against tables Anodot had no business reading. Vimeo did not catch the activity in the moment. The intrusion came to light when ShinyHunters started naming Vimeo on its dark web leak site in late April.

What Was Taken

Vimeo's official disclosure says the stolen material covered "technical data, video titles and metadata, and, in some cases, customer email addresses." Login credentials, payment information, and the videos themselves were not in the breach.

In practice, that bland list contains all of the following:

119,200 unique email addresses linked to Vimeo accounts
Names paired with some of those email addresses
Video titles, including for unlisted and password protected uploads
Operational metadata about how customers use Vimeo's platform
106 gigabytes of additional data dumped to ShinyHunters' onion leak site

Vimeo says the data falls short of the 270 million accounts ShinyHunters originally claimed. That gap matters less than the company suggests. ShinyHunters now has 119,000 verified Vimeo users it can sell, phish, or hand to other gangs as a starter list.

Why "Just Email Addresses" Is Not a Small Breach

Companies have spent two decades convincing the public that an email leak is harmless. The reality has shifted. Email is now the universal account identifier and the universal recovery channel for almost everything else a person owns online.

Once an attacker confirms an address belongs to a Vimeo user, three follow up moves get easier:

Targeted phishing. A "Vimeo password reset required" email sent to a confirmed Vimeo user passes both spam filters and the user's own gut check. Generic phishing campaigns work at low single digit conversion rates. Targeted campaigns built on confirmed account lists run an order of magnitude higher.
Credential stuffing. Most users still reuse passwords. Pairing a confirmed Vimeo email with a leaked password from another breach often unlocks the account on the first try.
Cross referencing with other breaches. ShinyHunters does not just leak data—it joins data. Combined with leaks from Hallmark, McGraw Hill, Carnival, and the rest of the gang's catalog, an email address becomes a profile.

The pixels that read your inbox depend on this exact pattern. Tracking pixels match an email open back to a person, then enrich the profile with everything else the marketer or attacker can pull from third parties. A confirmed email is the seed of every other surveillance dataset.

ShinyHunters' Operating Pattern

The Vimeo dump fits a script ShinyHunters has run for almost a year. Find a vendor with privileged access into many enterprise environments. Compromise that vendor once. Walk through the front door of every customer using its tokens. Extort each one individually.

In 2026 alone, ShinyHunters has been credited with breaches at Hallmark, Canada Life, McGraw Hill, Medtronic, Carnival, ADT, and now Vimeo. The Salesforce wave hit at least 39 organizations through one shared OAuth misuse pattern. The Anodot wave hit Snowflake and BigQuery customers through stolen analytics tokens. The Canvas extortion campaign announced this week threatens roughly 9,000 educational institutions. The pattern is identical—one shared dependency, dozens of victims, individual ransom demands.

Vimeo's refusal to pay is the data point that matters most for everyone else negotiating with this gang. Vimeo took a public hit, lost 106GB of internal documents, and left ShinyHunters with one fewer reason to extort the next victim. The companies still in private negotiations now know what Vimeo's "no" looks like.

What Vimeo Users Should Do Today

Vimeo says it will notify affected users directly. Do not wait for the email. The address is already in Have I Been Pwned and already in front of phishing operators.

Search Have I Been Pwned for any email you have used with Vimeo. The dataset was indexed on May 5, 2026.
Reset the Vimeo password even though the company says credentials were not in the breach. The phishing wave that follows a leak like this will impersonate a Vimeo password reset—change it on your terms before that email arrives.
Turn on two factor authentication for the Vimeo account and for any email account you used to register. SMS based 2FA is fine here, an authenticator app is better.
Do not click password reset links from emails for the next several months. Type vimeo.com directly. The first wave of follow on phishing will be near indistinguishable from the real notification Vimeo plans to send.
Audit anywhere else you reused that password. Treat any service tied to that email as also at risk until you have rotated the credential.

The Bigger Picture for Email Privacy

Every breach like this hardens the same conclusion: an email address is no longer "low sensitivity" data. It is the master key to a person's entire online identity, and the asset class that matters most to the criminals running double extortion campaigns.

Vimeo did not control Anodot's security. Anodot's customers did not control Anodot's incident response. The 119,000 affected users did not control any of the above. They handed an email address to a video platform a decade ago and ended up on a leak site this week. The supply chain is the breach.

There is no patch for the third party analytics layer of the modern web from a user's perspective. The only useful response is to keep the email itself harder to weaponize: do not reuse it across high value accounts, do not let it stay matched to a real time location through tracking pixels, and treat every "urgent password reset" as suspect by default until the next decade of breaches stops.