Vimeo Leak Exposes 3,370 Cloud Access Log Records

leaksear.ch has indexed a Vimeo leak containing 3,370 records tied to the April 27, 2026 Vimeo breach, primarily Google Cloud Storage access-log entries with client IP addresses, request URIs, user agents and HTTP status codes (leaksear.ch metadata). Public disclosures tied the broader incident to a breach at Anodot, a third-party analytics vendor, and Have I Been Pwned lists the larger Vimeo breach at 119.2 thousand affected accounts with email addresses and, in some cases, names (vimeo.com, haveibeenpwned.com).

What happened

Vimeo published an April 27, 2026 security notice stating that an unauthorized actor accessed certain Vimeo user and customer data as a result of the Anodot breach. Vimeo updated the notice on May 15, 2026, saying its investigation was complete and that users and customers whose data was potentially impacted had been contacted as appropriate (vimeo.com).

Vimeo said the accessed databases primarily contained technical data, video titles and metadata, and in some cases customer email addresses. The company said the incident did not include Vimeo video content, valid user login credentials or payment card information, and that it disabled Anodot credentials, removed the Anodot integration, engaged third-party security experts and notified law enforcement (vimeo.com).

Public reporting attributed the extortion claim to ShinyHunters. BleepingComputer reported that the group listed Vimeo on an extortion portal and claimed access to Snowflake and BigQuery data, while The Record and SecurityWeek also reported that Vimeo tied the confirmed incident to Anodot. Vimeo has not publicly confirmed every attacker claim about the depth of Snowflake or BigQuery access (www.bleepingcomputer.com, therecord.media, www.securityweek.com).

What data was exposed

The leaksear.ch indexed subset is described as the BigQuery portion of the Vimeo leak and contains Google Cloud Storage access-log records for vimeo-transcode-storage-* buckets. The searchable pivot is IP address. Stored context fields include client IP type, first observed bucket, host, HTTP method, object path, referrer, request URI, user agent, HTTP status code, first seen timestamp in microseconds and occurrence count (leaksear.ch metadata).

This indexed subset is not the same as the full public breach corpus described by Have I Been Pwned. HIBP lists email addresses and names as compromised data in the broader Vimeo breach, while Vimeo said the accessed databases primarily contained technical data, video titles, metadata and some customer email addresses (haveibeenpwned.com, vimeo.com).

Why this matters

Cloud access logs are not passwords, but they can expose IP addresses, request paths, user agents and timing details that help correlate activity to networks, devices or infrastructure. For security teams and incident responders, this data may be useful for scoping exposure, but it can also support targeted phishing or social-engineering when combined with email addresses, names, video titles or other metadata from the wider breach.

Because Vimeo said valid login credentials, payment card information and video content were not included, the most immediate risk is phishing, impersonation and activity correlation rather than direct account takeover from this dataset alone (vimeo.com). To check whether your data is in this leak, search leaksear.ch for an IP address associated with your device, home network or organization (leaksear.ch metadata).

Check your exposure

Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include ip address.

Vimeo Leak Exposes 3,370 Cloud Access Log Records

What happened

What data was exposed

Why this matters

Check your exposure

Sources