April 2026 Breach Wave: Vercel, McGraw-Hill, Adobe, Rockstar, Drift Protocol

# April 2026 breach wave: Vercel, McGraw-Hill, Adobe, Rockstar, Drift Protocol

This month turned into one of the busiest stretches for data-breach disclosures we've seen since the summer of 2024. Five separate incidents are in the headlines as of April 19, and they matter to different audiences for different reasons. Four are the kind of breach a news reader sees as a passing headline. The fifth, Vercel's internal-systems compromise disclosed yesterday, hits anyone running a modern web app because it means your environment variables may have been exposed even if you did nothing wrong.

I run Valtik Studios on Vercel. I rotated every secret on the platform this morning. This post walks through what happened, who's affected, and what to actually do about each.

#1. Vercel — third-party OAuth compromise, env vars potentially exposed

Disclosure date: April 18-19, 2026 (bulletin last updated April 19).

Attack vector: A small third-party AI tool's Google Workspace OAuth app was compromised. That app had elevated access into Vercel's internal systems for an unspecified subset of customers.

What got touched: Certain internal Vercel systems were accessed. Environment variables marked as "sensitive" in the Vercel dashboard showed no evidence of unauthorized access. Environment variables NOT marked sensitive (the default) are considered potentially exposed for affected customers.

Blast radius: Vercel cannot confirm exactly which customers were read. The guidance is to treat any non-sensitive env var as potentially leaked.

Why this matters: Vercel is the platform underneath a meaningful slice of the modern web — Next.js SaaS products, every marketing site built in the last three years, a lot of indie developer infrastructure. If your API keys, database passwords, webhook signing secrets, or identity provider client secrets sat in Vercel env vars without the Sensitive flag, rotate them. The Sensitive flag was introduced specifically to block this kind of read access.

What to do (in priority order):

1. Rotate every non-sensitive secret in Vercel. API keys (Stripe, OpenAI, Anthropic, Resend, SendGrid, Twilio), database passwords, webhook signing secrets, JWT signing keys, session secrets, SSH keys, OAuth client secrets.
2. Mark every rotated secret "Sensitive" when you add the replacement. Vercel → Settings → Environment Variables → click the three-dot menu on the row → toggle Sensitive. Values no longer render in the UI after save.
3. Audit your Vercel team activity log. Settings → Audit Log. Look for unusual logins, env var reads, project access changes, new team member invites, tokens minted. Screenshot anything that isn't you.
4. Redeploy. Env var changes don't auto-apply in Vercel; only a new deployment picks up the rotated values.
5. Propagate rotated secrets to any system that shares them. Our VPS that receives Vercel webhooks shares the HMAC signing secret. If we rotate on Vercel without matching on the VPS, the pipeline breaks. Make sure both sides update.

What not to do: do not ignore this just because your Vercel account has MFA. The attack didn't go through your account. It went through a third-party OAuth app that was granted access at some point, possibly by another team member, possibly implicitly by using an integration. The mitigation is secret rotation, not password changes.

#2. McGraw-Hill — 45M Salesforce records via ShinyHunters

Disclosure: Mid-April 2026.

Attack vector: Salesforce environment misconfiguration. ShinyHunters claims the access came via a legitimately-installed Salesforce connector or a compromised Salesforce Admin account. Details remain under investigation.

What got stolen: Approximately 45 million Salesforce records containing personally identifiable information of McGraw-Hill customers, including educational institutions and individual learners.

Attribution: ShinyHunters ransomware / extortion group. They're the same operators behind several 2023-2025 Salesforce-targeted breaches (AT&T, Ticketmaster, Santander).

What this teaches operators: Salesforce misconfigurations are the bread-and-butter of 2026 ransomware economics. Guest-user access, Experience Cloud public objects, and misconfigured sharing rules let attackers pull entire customer databases via the REST API. We have a Salesforce guest auditor in our toolkit specifically for this. If you run Salesforce and haven't audited your external-facing sharing rules in the last 6 months, stop reading and go do that.

#3. Rockstar Games — ShinyHunters ransomware

Disclosure: Around April 12, 2026.

Attack vector: Ransomware. Exact entry point not public.

What's exposed: Under active investigation. Initial reports suggest internal development data and some customer records.

Attribution: ShinyHunters again.

Why you care: Rockstar is a repeat target. They were breached in September 2022 (the GTA 6 leak, 90GB of source code and video walkthroughs dumped on GTAForums by teapotuberhacker). Two breaches in ~3.5 years of a company with Take-Two's security budget tells you even well-resourced targets get hit when attacker economics are right. For smaller orgs, the takeaway is that ransomware mitigation is operational resilience, not perimeter defense: tested backups, segmented networks, and an incident response plan that doesn't require 48 hours to stand up.

#4. Drift Protocol — $280M crypto heist after 6-month planning

Disclosure: April 1, 2026.

Attack vector: Sophisticated, multi-stage, with evidence of 6+ months of pre-attack reconnaissance. Final compromise details not fully public, but the attack pattern matches a DPRK / North Korean pattern (Lazarus / APT38 or a related cluster).

Loss: $280+ million in cryptocurrency.

What it means: DeFi protocols continue to be where the largest individual breaches occur. Drift is a perpetual futures exchange on Solana. The 6-month recon horizon means the attackers studied the protocol deeply before striking. This isn't a smash-and-grab; it's intelligence work.

Relevance for non-crypto readers: the same attack pattern — months-long quiet recon, deep protocol understanding, then a precise strike — is what state-sponsored actors run against traditional enterprises too. Defensive detection has to cover the quiet reconnaissance phase, not just the exploitation moment.

#5. Adobe — "Mr. Racoon" exfil of support tickets + employee records

Disclosure: April 2026.

Attack vector: Not fully public. "Mr. Racoon" is a relatively new threat handle, first seen in late 2025.

What's exposed: 13 million support tickets, 15,000 employee records, internal documentation.

What it teaches: Support ticket systems are a goldmine. They contain customer usernames, product keys, partial credit card numbers, debugging dumps with sensitive data, and sometimes plaintext customer passwords attached by users who didn't know better. If you run a help desk (Zendesk, Intercom, HubSpot Service Hub, Freshdesk) you should be treating it with the same security rigor as your production database. Most orgs don't.

#The common thread across these five

All five incidents share a single underlying observation: the perimeter isn't where you think it is.

• Vercel: breached through a third-party OAuth app, not through Vercel's own auth
• McGraw-Hill: breached through a Salesforce config mistake, not through McGraw's own systems
• Rockstar: repeat victim. Once in, always a target
• Drift: months of quiet recon before the actual theft
• Adobe: a support-ticket system, not the main product, yielded the PII

Modern attack surfaces include every OAuth grant, every SaaS integration, every third-party subprocessor, every customer-service tool, and every forgotten preview deployment. Traditional pentests that only look at the main web app miss most of this.

#What Valtik does about this

Our penetration testing methodology specifically covers the surface-area that these breaches exploited:

• Third-party OAuth audit (what Vercel got hit on): enumeration of every OAuth grant in your Google Workspace, Microsoft 365, Slack, and GitHub orgs. Flag anything with unusually broad scope or stale usage.
• Salesforce Experience Cloud auditor (McGraw-Hill): automated guest-user enumeration, public-object detection, sharing-rule review.
• SaaS subprocessor enumeration: we map every vendor that holds your data and rate them on incident response transparency.
• Support ticket system review (Adobe): Zendesk / Intercom / HubSpot access audits, data classification, retention policy review.
• Dormant preview deployment cleanup (Vercel): stale PR deployments, forgotten staging environments, .vercel.app subdomain enumeration.

If any of the five stories above made you nervous about your own posture, that's the right instinct. Reach out at hello@valtikstudios.com or request a free website security check to start.

#Sources

1. Vercel April 2026 Security Incident bulletin
2. SharkStriker, April 2026 data breach roundup
3. BrightDefense, recent data breaches 2026
4. BreachSense, data breach news 2026
5. Tech.co, data breaches updated list 2026