Vercel April 2026 security incident

Posted by colesantiago 14 hours ago

Vercel April 2026 security incident(www.bleepingcomputer.com)

https://vercel.com/kb/bulletin/vercel-april-2026-security-in...

569 points | 328 commentspage 3

leetrout 10 hours ago|

Porter also had a breach recently. I assume it is as tightly scoped as they say to not have publicized it.

neom 13 hours ago||

https://x.com/theo/status/2045871215705747965 - "Everything I know about this hack suggests it could happen to any host"

He also suggests in another post that Linear and GitHub could also be pwned?

Either way, hugops to all the SRE/DevOps out there, seems like it's going to be a busy Sunday for many.

phillipcarter 13 hours ago||

I don't know if I'd trust some random programmer-streamer-influencer on anything other than the topic of streamer-influencing.

hvb2 13 hours ago|||

The link at the top of the page it to vercel acknowledging it...

phillipcarter 11 hours ago||

Vercel acknowledges a security incident, which nobody is claiming doesn't exist. What they don't acknowledge are this person's vague implications about impact elsewhere.

embedding-shape 13 hours ago|||

Based on what, "feels like it"? Claiming that Cloudflare is affected by the same hack has to come from somewhere, but where is that coming from?

gruez 13 hours ago||

from his "sources".

> Here’s what I’ve managed to get from my sources:

>3. The method of compromise was likely used to hit multiple companies other than Vercel.

https://x.com/theo/status/2045870216555499636

To be fair journalists often do this too, eg. "[company] was breached, people within the company claim"

eddythompson80 13 hours ago||

Isn’t he a Vercel evangelist though?

TiredOfLife 9 hours ago|||

He quite publicly is not anymore.

troupo 12 hours ago|||

He is "whatever gives me short-term boost in popularity". Including doing 180 turns on whatever he's evangelizing or bashing.

eddythompson80 12 hours ago|||

Fair enough. That’s probably a better description from what I’ve seen from him. I remember that arc browser shilling.

Barbing 12 hours ago||||

Good for the content but would sponsors be on board long term?

brazukadev 10 hours ago|||

Let's see. Roasting vercel is more popular than defending but his posts so far he seems to be defending and arguing in the replies.

recursivegirth 13 hours ago|||

Ah, Theo with his vast insights and connections into everything. That man gets around, and his content is worth it's cost.

Theo's content boils down to the same boring formula. 1. Whatever buzzword headline is trending at the time 2. Immediate sponsored ad that is supposed to make you sympathize with Theo cause he "vets" his sponsors. 3. The man makes you listen to a "that totally happened" story that he somehow always involved himself personally. 4. Man serves you up an ad for his t3.chat and how it's the greatest thing in the world and how he should be paid more for his infinite wisdom. 5. A rag on Claude or OpenAI (whichever is leading at the time) 6. 5-10 minutes of paraphrasing an article without critical thought or analysis on the video topic.

I used to enjoy his content when he was still in his Ping era, but it's clear hes drunken the YT marketer kool-aid. I've moved on, his content gets recommend now and again, but I can't entertain his non-sense anymore.

rubslopes 12 hours ago|||

I just wanted to chime in and say I think he is knowledgeable; he's not a con. I know you didn't say that, but people might have the impression he doesn't know what he's talking about. He does know, and I've learned quite a lot from him in the past.

However, since the LLM Cambria explosion, he has become very clickbaity, and his content has become shallow. I don't watch his videos anymore.

sgarland 12 hours ago|||

Not that I ever had confidence in his technical knowledge, but it went to zero when he confidently asserted that there was no possible way a single server could handle the massive traffic some NextJS app he had made was serving. He then posted the bill - which was about $5K IIRC - and I was able to determine from the billed runtime and memory that a modestly-spec’d RPi could in fact handle it.

well_ackshually 11 hours ago|||

> he's not a con.

When you're putting the bar that low, sure.

He's about as knowledgeable as the junior you hired last week, except that he speaks from a position of authority and gets retweeted by the entire JS slop sphere. He's LinkedIn slop for Gen Z.

neom 12 hours ago|||

I don't watch his content, but I felt comfortable posting his link as I believe he's generally considered a reputable guy? His tweets sometimes come up in my for you tab and he seems reasonable and knowledgable generally? Maybe I'm wrong and shouldn't have linked to him as a source.

steve_adams_86 12 hours ago|||

He's kind of like an LLM in that his content has the surface texture of something substantial, and sometimes it's backed by substance, yet it's often half-true or totally off the mark too. You'll notice if you're previously acquainted with what he's talking about, otherwise he seems to be as you described.

I don't think he's a bad guy or that he's trying to be misleading. I suspect he wants his content to actually carry value, but he produces too much for that to be possible. Primarily he's a performer, not a technologist.

arabsson 12 hours ago||

I agree with this comment. YouTube's summarize this video feature has been a godsend when it comes to Theo's videos.

threetonesun 12 hours ago|||

Nothing on x.com is reputable at this point.

techpression 13 hours ago|||

”Any host” of what? That’s such a non-descriptive statement and clearly not true at face value.

rvz 13 hours ago|||

I do remember that OpenAI did use Vercel a year ago. They might have likely moved off of it to something better.

pxc 4 hours ago||

OpenAI owns Contexts.ai, doesn't it?

nozzlegear 12 hours ago||

> @theo: "I have reason to believe this is credible. If you are using Vercel, it’s a good idea to roll your secrets and env vars."

> @ErdalToprak: "And use your own vps or k3s cluster there’s no reason in 2026 to delegate your infra to a middle man except if you’re at AWS level needs"

> @theo: "This is still a stupid take"

lol, okay. Thanks for the insight, Theo, whoever you are.

uxhacker 10 hours ago|||

What is AWS level needs?

raw_anon_1111 8 hours ago|||

Hell doing this with fixed price AWS Lightsale based services would be better.

nozzlegear 8 hours ago|||

You'll have to ask @ErdalToprak on Twitter on that one. I just thought it was funny that this slopfluencer, who's taken money to advertise Vercel, ostensibly believes that using a VPS/k3s is "a stupid take."

nozzlegear 3 hours ago|||

Theo subscribers didn't like this one

jngiam1 6 hours ago||

I don't get why everything is not marked as sensitive in env vars by default instead.

philip1209 9 hours ago||

We proactively rotated keys. Even if you haven’t received an official email, expect customers to inquire about this tomorrow morning.

oxag3n 9 hours ago||

> incident response provider

So they use third-party for incident management? They are de-risking by spending more, which is a loose-loose for the customers.

staticassertion 3 hours ago|

It's very typical to have a retainer / insurance to bring in "emergency" incident responders beyond your existing team. Not saying that's the case here but it wouldn't be surprising.

james-clef 8 hours ago||

The point I am taking away here is to never use Vercel's environment variables to store secrets.

eieiyo 10 hours ago||

https://news.ycombinator.com/item?id=45416353

gneray 13 hours ago||

Oy vey: https://x.com/theo/status/2045862972342313374?s=46

rubiquity 13 hours ago|

He doesn't work at Vercel but he is the type to never pass up any opportunity to chase clout.

dankwizard 3 hours ago|||

He is affiliated with Vercel though

threecheese 12 hours ago|||

Almost like that’s his job.

Hey, I’m with you - I think social media needs to die specifically for this reason. I’m reminded of the term “snake oil” - it’s like the dawn of newspapers again.

TiredOfLife 9 hours ago||

Media as a whole needs to die

hoppyhoppy2 5 hours ago||

Including books and the internet?

ofabioroma 14 hours ago||

Time to ipo

ebbi 9 hours ago|

Ahhh...another product I'm boycotting, and now doubly glad I'm boycotting.

More comments...