Vercel Got Hacked and Nobody Talked About It

In the spring of 2024, Vercel — the platform that hosts websites for hundreds of thousands of businesses — disclosed a security incident. Environment variables, the secret keys that connect your site to your database, your payment processor, and your email service, were potentially exposed.

The disclosure was quiet. A blog post. An email to affected accounts. No headlines. No mainstream press coverage. Most of the businesses running on Vercel never even noticed. But the developers who did notice were alarmed. Environment variables are the keys to your kingdom. If someone has your database key, they can read your customer data. If they have your Stripe key, they can see your transactions.

Here's the part that matters for small businesses: most of the companies affected had no incident response plan. They didn't know which keys were exposed. They didn't know how to rotate them. They didn't even know what "environment variables" meant. They just knew their website was on Vercel, and now something was wrong.

Why this matters to you

This isn't really a story about Vercel. Every platform gets tested by attackers. The real story is that most small businesses have no idea how their digital infrastructure works. They don't know where their data lives, who has access to it, or what to do when something goes wrong.

When you use services like Vercel, Netlify, or AWS, you're trusting them with the keys to your business. That trust isn't wrong — these are good platforms. But trust without understanding is a gamble. And when the odds go bad, you need to know your next move.

More in Cover Story