In April 2026, Vercel disclosed a data breach originating from a compromised third-party AI productivity tool. A Vercel employee had connected Context.ai, an AI-powered workplace assistant, to their Google Workspace account with broad OAuth permissions. When a Lumma Stealer infostealer infected a Context.ai employee device in February 2026, the attacker harvested the OAuth tokens Context.ai held for its customers. Those tokens provided authenticated, delegated access to Vercel’s internal Google Workspace environment. From there, the attacker moved to Vercel’s internal systems, exfiltrating API keys, GitHub tokens, NPM tokens, source code, and 580 employee records. The stolen data was subsequently listed on BreachForums for $2 million.
What Happened
Context.ai is an AI tool that integrates with Google Workspace to surface contextual information during meetings, conversations, and document work. Like many AI productivity tools, it requires OAuth authorisation to Google Workspace data and stores the resulting tokens to provide its service continuously.
The attack chain:
- February 2026: Lumma Stealer infostealer infects a Context.ai employee device, harvesting browser session data and OAuth tokens
- February-April 2026: Attacker uses stolen Context.ai OAuth tokens to access customer Google Workspace environments, including Vercel’s
- April 19, 2026: Vercel publicly discloses the breach and confirms the attack vector: a compromised Context.ai OAuth integration
- April 2026: Stolen data listed on BreachForums for $2 million, including source code, API keys, GitHub tokens, NPM tokens, and 580 employee records
The data exfiltrated from Vercel included:
- Source code and internal repositories
- API keys and service credentials
- GitHub personal access tokens
- NPM publishing tokens
- 580 employee records
- Internal project and configuration files
Vercel confirmed that Context.ai – not Vercel’s own systems, was the point of compromise. The OAuth tokens that Context.ai held for Vercel provided the access path.
How It Happened
The breach has three compounding NHI failures:
Shadow AI tool adoption without security review. The Vercel employee connected Context.ai to their Google Workspace independently, without an IT or security approval process. Shadow AI adoption — the use of AI tools by individual employees or teams outside formal procurement — is now one of the fastest-growing sources of ungoverned OAuth grants in enterprise environments. Context.ai requested “Allow All” OAuth permissions: broad delegated access to email, calendar, documents, and contacts. That grant persisted indefinitely after it was made.
Long-lived OAuth refresh tokens held by a third party. Context.ai stored OAuth refresh tokens that would automatically refresh access to customer Google Workspace environments. Those tokens had no expiry, no rotation schedule, and no audit trail visible to Vercel. From Vercel’s perspective, the OAuth grant had been made and the tool was working — there was no signal that the tokens were being held externally or that they had been compromised.
No access control on the trust boundary. When Context.ai’s internal systems were compromised by the Lumma Stealer, the attacker obtained valid, authenticated OAuth tokens that Google Workspace would accept as legitimate delegated access. The perimeter was the OAuth consent grant made months earlier. The attacker did not need to break into Vercel. They inherited access that had already been granted.
What This Means for NHI Governance
The Vercel breach follows the same structural pattern as the Salesloft/Drift OAuth compromise, the Sisense supply chain attack, and the Klue OAuth supply chain breach. In each case, the entry point was an OAuth token held by a third-party SaaS platform, and the blast radius was the customer environment that had granted that delegation.
This pattern has a specific name in NHI governance: the OAuth supply chain problem. Every time an employee grants an AI tool, productivity application, or integration service access to corporate data via OAuth, they create a non-human identity relationship between the third party and the organisation. That relationship:
- Persists indefinitely unless explicitly revoked
- Is typically invisible to the security team
- Carries the permissions that were granted at consent time, regardless of whether those permissions are still necessary
- Has its trust boundary at the third-party platform, not at the organisation’s own perimeter
Context.ai is one of thousands of AI tools now requesting OAuth access to enterprise Google Workspace and Microsoft 365 environments. The AI productivity tool adoption wave of 2025-2026 has created a significant and largely ungoverned OAuth supply chain surface in most organisations.
The Vercel breach should serve as the reference case for why every OAuth grant to an AI tool is a non-human identity that needs to be governed: inventoried, scoped, reviewed, and revocable on demand.
Recommendations
- Audit all OAuth grants to third-party applications in Google Workspace and Microsoft 365. Most organisations have hundreds of OAuth grants they have never reviewed. Build an inventory: which apps have access, what scopes they hold, when access was last reviewed, and who the business owner is.
- Restrict OAuth consent to administrator-approved applications only. Disable user-level OAuth consent for third-party applications. Require IT or security review and approval before any application can access corporate data through OAuth.
- Implement OAuth grant expiry and periodic re-authorisation. Long-lived OAuth refresh tokens are the core vulnerability. Work with administrators to enforce token expiry and require periodic re-authorisation of all third-party integrations.
- Apply least-privilege scoping to all OAuth grants. “Allow All” permissions are rarely necessary. An AI meeting assistant does not need access to all email. Scope every OAuth grant to the minimum required for the tool to function.
- Treat third-party AI tool integrations as privileged third-party access relationships. The AI productivity tool category has moved from novelty to critical workflow infrastructure faster than governance frameworks have adapted. Every AI tool that holds OAuth access to corporate data is a supply chain risk that deserves the same scrutiny as any other third-party integration.
- Monitor for anomalous OAuth token usage. Unexpected source IPs, access outside business hours, and bulk data access patterns from integration credentials should trigger immediate investigation.
How NHI Mgmt Group Can Help
Securing Non-Human Identities (NHIs) including AI Agents, is becoming increasingly crucial as attackers discover and target service accounts, API keys, tokens, secrets, and OAuth credentials during breaches. These NHIs often hold extensive permissions that can be exploited, making their security a priority for any organisation focused on protecting their digital assets.
Take our NHI Foundation Level Training Course, the most comprehensive in the industry, that will empower you and your organisation with the knowledge needed to manage and secure these non-human identities effectively.
Final Thoughts
The Vercel breach is the AI tool adoption wave’s security bill arriving. As organisations have embraced AI productivity tools with unprecedented speed, each new tool adoption has created an OAuth delegation relationship, a non-human identity connection between the tool and the corporate environment. Most of those connections were made by individual employees without security review, with broad permissions, and with no expiry or rotation. Context.ai holding Vercel’s OAuth tokens is not unusual.
It is representative of how hundreds of AI tools are integrated with enterprise environments today. The lesson is not to stop adopting AI tools. The lesson is that every OAuth grant is an NHI relationship that needs to be governed with the same rigour as any other privileged credential.
