๐ All We Know About the Vercel Leak, the $2M Claim, and an OAuth Chain You Should Not Ignore
I have the same low-level feeling many teams describe: security headlines stacking faster than sprint retros. My desktop OS even volunteered this week to wipe the apps I pinned to the Start menu. The story that matters for builders is what Vercel and Context published about April 2026.
Hi, my name is Tom Smykowski, I'm a staff full-stack engineer. I build and scale SaaS platforms to millions of users, working end-to-end from system architecture to frontend to mobile. On this blog I write about security incidents, deployment platforms, and the engineering choices that quietly decide whether secrets stay secret.
The platform, the product, and the headine
Vercel is not a niche host. It is where a huge slice of front-end and full-stack teams ship static sites, serverless routes, and edge logic.
In April 2026 Vercel began publishing incident updates on its knowledge base. Context published its own incident statement about Context AI Office Suite, the consumer AWS-hosted bundle released in June 2025.
Context writes that they detected unauthorised access to that AWS footprint, notified forensic partners, shut consumer hosting, and later learned OAuth tokens from some AI Office Suite users were compromised. One token was reportedly used against a Google Workspace tenant tied to Vercel. At least one grant applied broad workspace permissions meant for AI-generated mail and documents.
Vercel confirms attackers pivoted into some internal environments and environment variables not marked sensitive, while stating no evidence that sensitive-marked secrets were accessed. News outlets separately described an alleged criminal-forum listing near two million dollars for related data; treat that number as reporting, not proof.
Why OAuth matters more than the AI branding
Workspace OAuth consent often arrives as an all-or-nothing bundle: approve the scopes the vendor requested or lose the workflow. Security wants minimal scopes. Sales wants the demo tomorrow. Someone clicks Allow, and suddenly mail, Drive, and administrative surfaces share one compromise story.
That configuration edge rhymes with other posts about identity signals leaking further than users expect. It is also why plaintext environment variables hurt so much: they frequently proxy into Stripe, Twilio, Auth0, databases, CI systems, and observability stacks.
What you already know how to do
Rotate secrets, audit grants, enable MFA on human accounts, enable vendor features that store secrets unreadable from dashboards. You have heard it before.
The unlocked full article on this site goes further: a subscriber-only playbook that expands every short bullet into sequencing, dependency order, OAuth governance for Workspace-style suites, progressive permission design for agent products, realistic rotation drills, and downstream least-privilege checks so the next headline costs hours instead of quarters.
What this article is about
A readable timeline of the April 2026 Vercel and Context disclosures, the reported resale figure, why Google Workspace consent patterns amplify third-party AI risk, and how plaintext environment variables connect to payment and identity providers.
Questions this article answers
- What did Vercel and Context actually publish versus what showed up on forums?
- How does a consumer AI suite token translate into hosting-platform access?
- Which classes of secrets sit in non-sensitive variables and why does that distinction matter operationally?
- What concrete steps sit inside the paid full version for teams who need more than headline advice on how to protect deployments and downstream services?
Article size and reading time
Full post on the blog is roughly 2,150 words and lands around 8 minutes of focused reading for engineers who skim API docs for breakfast.