DEV Community

Jonathan Murray
Jonathan Murray

Posted on

Vercel Hack: Why You Need to Rotate Your "Non-Sensitive" Environment Variables Today

#ai #vercel #security #hack

If you deploy on Vercel, todays headlines about a security incident might have caused some stress.

I know firsthand how disruptive supply chain alerts can be. Take a deep breath.

We are going to separate the noise from the facts and focus on the practical steps you can take today to secure your infrastructure.

Here is a straightforward guide to protecting your applications.

What Actually Happened

Before we jump into the steps, here are the verified facts:

  • The Root Cause: Vercel confirmed unauthorized access to internal systems via a compromised third-party AI tool with a Google Workspace OAuth integration.
  • The Exposure: Environment variables marked as "Sensitive" remained encrypted and protected. However, standard or non-sensitive environment variables were likely exposed to the attacker.
  • The Claims: A threat actor using the name ShinyHunters claims to be selling Vercel data. Vercel is actively handling the situation and their core services remain online.

Because non-sensitive variables were likely exposed, your immediate priority is auditing and rotating your credentials.

Step-by-Step Remediation Guide

Step 1: Audit Your Vercel Environment Variables

Log into your Vercel dashboard and review the environment variables for every active project. You are looking for anything that was not explicitly marked with the "Sensitive" flag. Pay close attention to:

  • Database connection strings (Postgres, MongoDB, Redis)
  • Third-party API keys (Stripe, SendGrid, OpenAI)
  • Authentication secrets and JWT keys

Step 2: Revoke Upstream Credentials

If you find a secret stored as a non-sensitive variable, changing it in Vercel is not enough. You must invalidate the compromised key at the source.

  • Go to the service provider (AWS, Supabase, Stripe, etc.).
  • Revoke or delete the old credential entirely.
  • Generate a brand new credential.

Step 3: Update and Flag as Sensitive

Take your newly generated keys and update them in your Vercel projects. When you do this, make absolutely sure you check the box to mark the variable as "Sensitive". This ensures the value is encrypted at rest and hidden from the dashboard UI going forward.

Step 4: Audit Your OAuth Integrations

Since this breach originated from a compromised Workspace app, use this opportunity to clean up your own team integrations.

  • Review your GitHub organization settings and remove unrecognized OAuth apps.
  • Check your Google Workspace integrations.
  • Revoke access for any third-party tools your team no longer uses.

Step 5: Monitor Your Logs

Keep a close eye on your application and database logs over the next few days. Look for unfamiliar IP addresses accessing your database or unexpected spikes in API usage. These are clear indicators that a leaked key might be in use.

Moving Forward

Security incidents are stressful, but handling them methodically is your best defense. By rotating your exposed keys and locking down your variables, you close the door on the immediate risks. Run through the checklist, secure your workspace, and get back to building.

Top comments (0)