Vercel's April 2026 breach started with Roblox cheat scripts and ended with customer credentials exposed across thousands of organizations. The attack chain is five stages long, and most of the reporting only covers the first one.
The part that stuck with me isn't the breach itself. It's that Vercel stored environment variables unencrypted by default, and developers had to manually opt each credential into encryption. Scale that to an organization with 50 projects and you're looking at 500 to 1,500 credentials stored in the clear on someone else's infrastructure. The article maps the full attack chain, digs into the design flaw, and includes a detection reference with MITRE ATT&CK mappings and SIEM logic for security teams doing active investigation.