A leaksear.ch-indexed Vercel leak contains 230 customer account metadata records, with the breach date listed as April 19, 2026 (leaksear.ch metadata). Vercel said the April 2026 incident involved unauthorized access to internal systems after a compromise at Context.ai was used to take over a Vercel employee's Google Workspace account (vercel.com).
What happened
Vercel's security bulletin says the incident originated with Context.ai, a third-party AI tool used by a Vercel employee. According to Vercel, the attacker used that access to take over the employee's Vercel Google Workspace account, then pivoted into Vercel environments and enumerated and decrypted non-sensitive environment variables (vercel.com).
Context.ai's incident statement says OAuth tokens belonging to some AI Office Suite users were compromised, and that one token was used to access Vercel's Google Workspace. Context.ai also said the AI Office Suite OAuth application had been taken down (context.ai).
Public reporting described customer data as stolen, but Vercel did not publish a total affected-customer count and TechCrunch reported that Vercel had not received a ransom demand. Vercel also said its review with GitHub, Microsoft, npm, and Socket found no evidence that npm packages published by Vercel were compromised (techcrunch.com, vercel.com). The Hacker News separately reported that Vercel described the exposed credentials as affecting a limited subset of customers and said Vercel was notifying those customers directly (thehackernews.com).
What data was exposed
The indexed records contain customer account metadata: email addresses, names, usernames, account activity and status fields, flags including active, admin, and guest, internal IDs, created, updated, and last-seen timestamps, and timezone values (leaksear.ch metadata). The fields searchable on leaksear.ch are email, name, and username; the remaining account metadata is stored for context but is not a direct search pivot (leaksear.ch metadata).
Those indexed fields should not be read as a complete list of everything Vercel investigated in the April incident. Vercel's own bulletin separately focused on non-sensitive environment variables and credentials that affected customers were told to rotate (vercel.com).
Why this matters
For individuals and organizations in the 230-record dataset, the immediate risk is targeted phishing and account enumeration using developer identities rather than broad consumer identity theft (leaksear.ch metadata). Names, usernames, email addresses, admin or guest status, and last-seen details can make impersonation or help-desk lures more believable, especially against engineering and platform teams (leaksear.ch metadata).
Teams that used Vercel should follow Vercel's guidance for potentially affected accounts: enable MFA, review account and environment activity, rotate secrets that were stored as non-sensitive environment variables, and investigate suspicious deployments (vercel.com). To check whether this leak includes your details, search for your email, name, or username (leaksear.ch metadata).
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include email, name, and username.