Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Vercel breach lessons: are your secrets controls still too wide?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9773
Topic starter  

TL;DR: Vercel’s 2026 incident showed how a third-party OAuth app, an employee Workspace account, and readable environment variables can collapse into one secrets exposure path, according to Infisical’s analysis. The real lesson is that the effective secrets perimeter now spans every control plane that can read production credentials, not just the vault.

NHIMG editorial — based on content published by Infisical covering the Vercel breach: Learning from the Vercel Breach: A Secrets Security Playbook

Questions worth separating out

Q: What breaks when production secrets are readable inside a hosting control plane?

A: The control plane stops being a delivery layer and becomes a secrets oracle.

Q: Why do connected OAuth apps increase identity risk in secrets-heavy environments?

A: Connected apps extend trust beyond the core IAM boundary, often with broad and persistent permissions.

Q: How do security teams reduce blast radius for application secrets?

A: They reduce the number of systems that can reveal a secret and shorten the time a credential remains valid.

Practitioner guidance

  • Audit every readable secret location Inventory all places production secrets can be read back, including hosting control planes, CI/CD stores, developer laptops, and shared docs.
  • Tighten third-party OAuth governance Review connected apps, their scopes, and their ownership, then remove grants that do not have a current business need or clear lifecycle ownership.
  • Move workloads to machine identity Use OIDC, cloud-native workload identity, or projected service account tokens so CI and production workloads authenticate without long-lived bearer tokens.

What's in the full article

Infisical's full blog post covers the operational detail this post intentionally leaves for the source:

  • Step-by-step hardening sequence for centralising secrets, runtime delivery, and rotation across multiple environments
  • Concrete configuration examples for OIDC, cloud auth, and Kubernetes auth that remove long-lived bootstrap tokens
  • Implementation detail for dynamic database leases, revocation statements, and audit-log streaming to a SIEM
  • Practical migration advice for keeping Vercel as a delivery target while moving secrets into a vault-backed source of record

👉 Read Infisical’s analysis of the Vercel breach and secrets security playbook →

Vercel breach lessons: are your secrets controls still too wide?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9257
 

The secrets perimeter is no longer the vault, it is every system that can read a production credential. The Vercel incident shows that a single hosting platform, a SaaS identity provider, and a connected third-party tool can form one continuous exposure path. That means secrets governance has to be measured by readable surface area, not by how many credentials were migrated into a central store. Practitioners should treat every reversible secret location as part of the same control domain.

A few things that frame the scale:

  • 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
  • Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.

A question worth separating out:

Q: Who should be accountable when a third-party identity chain exposes production credentials?

A: Accountability should sit with the teams that own connected-app governance, SaaS identity policy, and secrets lifecycle controls together. A breach that crosses Workspace, a third-party tool, and a hosting platform is not a single-team problem. The right framework is shared ownership across identity, platform, and security operations.

👉 Read our full editorial: The Vercel breach shows why secrets perimeters must shrink



   
ReplyQuote
Share: