Vercel discloses April security incident

This looks like a contained but serious platform-security event: the immediate blast radius appears limited, yet the disclosure is sparse enough that customers should treat secret hygiene as urgent until more facts land.

• –Vercel has already notified law enforcement and is working with incident response specialists, which suggests the company is treating this as a real compromise rather than a routine alert
• –The bulletin emphasizes that only a limited subset of customers was impacted, but does not yet say how access was gained or what data, if any, was exposed
• –The recommendation to review environment variables is the practical takeaway here: anyone using Vercel should audit secrets, rotate anything sensitive, and check for exposure paths
• –Services staying online reduces operational fear, but it does not reduce the need for customers to verify their own deployments, tokens, and third-party integrations
• –The incident reinforces how much trust Vercel users place in platform-side isolation and secret handling, especially for teams shipping fast with managed infrastructure