The Vercel breach: OAuth attack exposes risk in platform environment variables

Posted by queenelvis 23 hours ago

The Vercel breach: OAuth attack exposes risk in platform environment variables(www.trendmicro.com)

Vercel April 2026 security incident - https://news.ycombinator.com/item?id=47824463 - April 2026 (485 comments)

A Roblox cheat and one AI tool brought down Vercel's platform - https://news.ycombinator.com/item?id=47844431 - April 2026 (145 comments)

341 points | 112 commentspage 3

ubershmekel 18 hours ago|

I'm building something that isn't necessarily more secure than vercel, but it is self hosted. I think in the future personal vps family clouds are going to be a lot more common because of these cloud-level attacks and costs.

jwpapi 20 hours ago||

What are these non-sensitive variables that could only be the NEXT_PUBLIC ones? else I haven’t seen any difference?

Or is it the UI sensitive that they ask you in CLI, that would be crazy. That means if you decide to not mark them as sensitive they don’t store encrypted ???

donglong 20 hours ago|

those are environment variables that the frontend can consume, hence the public prefix

rzgrozt 5 hours ago||

i'm glad that i chose cloudflare pages instead of vercel to deploy my website last week :)

throwaway27448 22 hours ago||

Do any services use vercel?

drusepth 22 hours ago||

It's a really common platform for vibe coded sites, as I understand it.

raw_anon_1111 19 hours ago|||

I used v0 for a vibe coded internal admin app.

*BUT* I downloaded the source code from Vercel’s site, built and deployed in a Docker container (I never download random npm packages to my local computer), deployed the Docker container to Lambda (choose your Docker deployment platform. They are a dime a dozen), had a tightly scoped IAM role attached to the Lambda and my secrets were in Secret Manager.

My deployment also had a placeholder for the secrets when it was deployed and they were never in my repo and purposefully had to be manually configured.

I would never trust something like Vercel for hosting. I’m not saying go all in on a major cloud provider. Get your own cheap VPS if that’s all you need and take responsibility for your own security posture the best you can.

jdw64 22 hours ago|||

First of all, it is often used in Korea.

antonvs 22 hours ago||

Small startups often use it but typically outgrow it quickly unless they remain small and simple.

vaguemit 22 hours ago||

I recently went to BreachForums and the space was filled with this

IshKebab 9 hours ago||

Environment variables are one of the most misused features of modern Unix. Storing secrets in them is insane, despite what the 12 factor people think.

akanet 21 hours ago||

This article is solely overly wordy (probably ai) restatements of essentially just what vercel has publicly disclosed already

phoenixranger 20 hours ago|

sad of state of all shorts of media lately

joemazerino 13 hours ago||

How did the Roblox cheat pass EDR?

semiquaver 20 hours ago|

I’m sure this has been said before but the new part of me is that the initial breach happened 22 months ago and has been sitting undetected that whole time. This really looks quite bad for vercel’s security posture.

More comments...