Vercel discloses April 2026 security incident, says a limited set of customers were impacted

It has been reported that Vercel identified a security incident involving unauthorized access to certain internal systems. The company says it has engaged outside incident response experts, notified law enforcement, and is actively investigating and remediating the issue. Services remain operational, Vercel adds, and the company will update a public bulletin as the probe progresses.

What Vercel says about scope and response

Vercel reports that a limited subset of customers were impacted and that those customers are being contacted directly. Details about what data — if any — was exposed were not provided in the initial bulletin. The move to bring in external responders and law enforcement is standard practice, but it also signals the company is treating this seriously. Still, questions remain: how did the access happen, and for how long?

Recommendations for customers

Vercel recommends customers review environment variables and use its sensitive environment variable feature; it has been reported that those steps are intended to reduce exposure risk. Customers worried about secrets should consider rotating credentials and following usual best practices for secret management — better safe than sorry. For more information or specific concerns, customers are directed to contact support@vercel.com.

Sources: vercel.com, Hacker News