Skip to content

INC-003 — Vercel Breach Response — Key Rotation Checklist

Issued: April 30, 2026  |  Status: ACTIVE  |  Owner: Shane / Ozzy  |  Priority: HIGH

Incident Summary

On April 19, 2026, Vercel confirmed a breach originating from Context.ai (third-party OAuth tool). An attacker used Lumma Stealer malware to compromise a Vercel employee's Google Workspace account via OAuth token theft, then enumerated and decrypted non-sensitive environment variables stored on Vercel's platform. A subset of customer credentials are potentially exposed. Stolen data was claimed for sale on BreachForums ($2M). Next.js/Turbopack code was unaffected. Sensitive (encrypted) env vars show no evidence of access.

Action required: Rotate all non-sensitive Vercel env vars and any credentials stored outside the sensitive flag. Treat all as burned until confirmed otherwise.


Section 1 — Credential Rotation Matrix

Complete each row. Check off when rotated. Treat any non-sensitive Vercel env var as compromised.

Done Priority Secret / Credential Stored In Action
CRITICAL OpenAI API Key Vercel env var + .env Rotate at platform.openai.com → API Keys
CRITICAL Anthropic API Key Vercel env var + .env Rotate at console.anthropic.com → API Keys
CRITICAL GitHub Personal Access Token Vercel + local git config Rotate at github.com → Settings → Developer Settings
CRITICAL Cloudflare API Token Vercel env var Rotate at dash.cloudflare.com → Profile → API Tokens
CRITICAL Database Credentials Vercel env var (DB_URL) Rotate DB user password; update connection string in Vercel
HIGH n8n Webhook Secret(s) Vercel / n8n config Regenerate webhook URLs in n8n; update any consumers
HIGH Vercel Account Password Vercel login Change at vercel.com → Account → Security
HIGH Google OAuth Client Secret Vercel env var Rotate at console.cloud.google.com → Credentials
HIGH Discord Bot Tokens (Ozzy/Mercy/Scout) Vercel / Discord Dev Portal Regenerate at discord.com/developers → Bot → Reset Token
HIGH Stripe / Payment Keys Vercel env var (if any) Rotate at dashboard.stripe.com → Developers → API Keys
MEDIUM NPM Auth Token GitHub Actions / .npmrc Rotate at npmjs.com → Access Tokens
MEDIUM Expo / EAS Token Pop Off CI/CD Rotate at expo.dev → Account → Access Tokens
MEDIUM Any JWT Signing Secret Vercel env var Regenerate and redeploy; invalidates all active sessions
MEDIUM SendGrid / Email API Key Vercel env var (if any) Rotate at sendgrid.com → Settings → API Keys

Section 2 — Vercel Account Hardening

Step Action Detail
1 Check for direct notification Log into vercel.com — if you received a breach notification email you are in the confirmed affected subset. If not, still proceed with rotation.
2 Audit env vars — mark sensitive Dashboard → Project → Settings → Environment Variables. For each secret: click Edit → toggle 'Sensitive' ON. Any var not marked sensitive was readable to the attacker.
3 Check Vercel activity log Dashboard → Settings → Activity. Look for anomalous API calls, bulk enumeration, or access from unexpected IPs in April 2026.
4 Enable 2FA / Passkey Account → Security → Two-Factor Authentication. Use an authenticator app or passkey. Do NOT rely on SMS alone.
5 Check Google OAuth for Context.ai Go to admin.google.com → Security → API Controls → Third-Party App Access. Search for the Context.ai OAuth Client ID. Revoke if found.
6 Review team member access Settings → Members. Remove any stale invites or accounts you don't recognize. Confirm MFA is on for all members.
7 Redeploy all affected projects After rotating env vars, trigger a fresh deploy on atlantisits.ai, .co, .info, engine, ops, docs, IceBreakrz. Confirm new vars are live.

Section 3 — Downstream System Checks

Even if Vercel confirms you're not in the direct hit list, check these systems for anomalous activity:

Done System What to Check Why It Matters
GitHub Settings → Security Log — look for unrecognized pushes, repo forks, or token usage GitHub tokens in Vercel env vars could grant repo write access
Cloudflare Audit Log → check for DNS changes, WAF rule edits, or token usage from unknown IPs All atlantisits.* domains route through Cloudflare
OpenAI / Anthropic Check API usage dashboards for unexpected token consumption or model calls API key theft = direct cost and potential data exfil via prompt injection
Discord (Ozzy / Mercy / Scout bots) Discord Dev Portal → check bot token activity; confirm bots not used to relay commands Bot tokens stored in Vercel env vars are in scope for this incident
Forgejo / n8n (local + VPS) Review n8n workflow logs for unexpected triggers; confirm Forgejo access logs look clean n8n webhook secrets may be referenced in Vercel-connected workflows

Section 4 — Post-Incident Hardening (V19 Items)

Pin these to the memory file and schedule before VPS deployment (original target: first week of May 2026):

  • Mark ALL Vercel env vars as Sensitive going forward — no plaintext secrets ever stored unencrypted
  • Add a pre-deployment secret audit step to SOP-003 (Pre-Upgrade Backup/Rollback)
  • Create SOP-006: Credential Rotation Procedure — document rotation cadence for all Atlantis services
  • Evaluate Doppler or HashiCorp Vault for centralized secrets management (especially for VPS Phase 1 stack)
  • Before Hetzner/Hostinger VPS go-live: audit all env vars across Forgejo, n8n, NTFY, Nextcloud configs
  • Enable Vercel Security Bulletin subscription — vercel.com/kb/bulletin to receive future incident alerts
  • Scout intel task: monitor BreachForums / HaveIBeenPwned API for Atlantis domain email exposure
  • Rotate credentials on a defined cadence: API keys 90 days, DB passwords 180 days, bot tokens on any personnel change

Sign-Off

Completed by _____
Date ___
Verified by (Maranda / CFO) _____
Date ___

Document Reference: INC-003  |  Relates to: SOP-003, SOP-005  |  Issued by: Ozzy (Claude / Atlantis ITS)


Confidential — internal use only. This document references rotation status for live credentials; treat its content with the same sensitivity as the secrets it tracks.