Over the weekend, Vercel — one of the biggest platforms used to host websites and web apps — disclosed that hackers gained access to their internal systems. If your website was built with tools like Next.js or hosted on Vercel, this might directly affect you. But even if it wasn't, there's an important lesson here for every small business owner.
The hackers didn't break in through some high-tech exploit. They got in through an AI productivity app that an employee had connected to their work account.
What Actually Happened (and How It Started With a Video Game Cheat)
This one reads like a thriller — and it starts somewhere you wouldn't expect.
Back in February, an employee at a small AI company called Context.ai downloaded what appears to have been a cheat script for the video game Roblox. That download was laced with malware — specifically a type called an "infostealer" — which quietly harvested all the passwords, login sessions, and credentials stored on that person's computer.
Among the stolen data were the employee's work logins: their Google Workspace account, developer tools, and admin access to systems hosted on Vercel.
A well-known hacking group called ShinyHunters got hold of those stolen credentials and used them to break into Context.ai. Because Context.ai was connected to a Vercel employee's Google account via a simple "Sign in with Google" permission, the hackers were able to pivot straight into Vercel's internal systems — accessing customer data, stored secrets, and deployment configurations.
The stolen Vercel data is now reportedly being sold on hacking forums.
Security researchers at Hudson Rock flagged the compromised credentials over a month before the breach went public. If those stolen logins had been revoked immediately, the entire attack could have been prevented.
Why This Matters for Your Practice
You might be thinking, "I don't use Vercel, so this doesn't apply to me." But the pattern behind this breach is something every small business owner should pay attention to.
Think about how many apps and tools you've connected to your Google or Microsoft account over the years. Scheduling tools, email marketing platforms, AI writing assistants, social media managers, online booking systems, telehealth platforms — each one of those connections is a potential doorway into your accounts.
When you click "Sign in with Google" or "Allow access," you're granting that app a set of permissions. If that app gets hacked, the attacker may be able to access anything the app could access — your emails, your calendar, your files.
For therapists and wellness practitioners handling sensitive client information, that's a serious concern.
What You Can Do Today
You don't need to be a tech expert to tighten things up. Here are a few practical steps.
1. Check if you were directly affected
If you use Google Workspace for your business, you can check whether the compromised Context.ai app ever had access to your account. Go to your Google Admin Console → Security → API Controls → Manage Third-Party App Access, and search for client ID 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj. If nothing comes up, you're in the clear. If it does appear, revoke access immediately and consider reaching out to an IT professional to check for any unauthorised activity.
2. Review all your connected apps
Even if you're not affected by this specific breach, now is a great time for a general clean-up. Go to your Google account settings (myaccount.google.com → Security → Third-party apps with account access) and look at what's connected. If you don't recognise something or haven't used it in months, revoke its access.
3. Be selective about new AI tools
Before connecting a new app to your work accounts, ask yourself: does this tool genuinely need access to my email or calendar? Many apps request far more access than they actually need.
4. Use separate accounts where possible
If you want to try a new AI tool, consider signing up with a separate email rather than connecting it to the account you use for client communications.
5. Turn on two-factor authentication
If you haven't already, enable 2FA on your Google, Microsoft, and email accounts. It won't stop every attack, but it makes things significantly harder for anyone trying to get in.
6. Be careful what you download
This breach began with a single dodgy download on a work computer. It's a good reminder to keep personal downloads — especially anything from unofficial sources — off the devices you use for work.
7. Ask your web developer
If your website is hosted on Vercel, ask your developer whether any credentials need to be rotated. They'll know what to check. (Not sure who handles your site? Here's what to look for in a digital partner.)
You wouldn't give a stranger the keys to your practice. Treat app permissions the same way — every connected app is effectively a spare key you've handed out.
The Bigger Lesson
A video game cheat on one person's computer led to a breach at one of the internet's biggest web hosting platforms. That's the reality of how cybersecurity works in 2026 — it's rarely a dramatic Hollywood hack. It's a chain of small, human mistakes that add up.
We're all adopting AI tools at speed right now — and for good reason. They save time, they're often free or cheap, and they genuinely help. But each one you connect to your business accounts becomes part of your security picture. And if someone in that chain does something careless, it can ripple outward in ways nobody expected.
If you'd like help reviewing your connected apps or tightening up your online security, get in touch — we're always happy to help our clients stay protected.
Meet Krystyna
Founder, Creative DirectorHi, I'm Krystyna. I create thoughtful websites that clearly communicate who you are and what you do, and help connect you with the people already looking for your services.