INC-003 — Vercel Breach Response — Key Rotation Checklist
Issued: April 30, 2026 | Status: ACTIVE | Owner: Shane / Ozzy | Priority: HIGH
Incident Summary
On April 19, 2026, Vercel confirmed a breach originating from Context.ai (third-party OAuth tool). An attacker used Lumma Stealer malware to compromise a Vercel employee's Google Workspace account via OAuth token theft, then enumerated and decrypted non-sensitive environment variables stored on Vercel's platform. A subset of customer credentials are potentially exposed. Stolen data was claimed for sale on BreachForums ($2M). Next.js/Turbopack code was unaffected. Sensitive (encrypted) env vars show no evidence of access.
Action required: Rotate all non-sensitive Vercel env vars and any credentials stored outside the sensitive flag. Treat all as burned until confirmed otherwise.
Section 1 — Credential Rotation Matrix
Complete each row. Check off when rotated. Treat any non-sensitive Vercel env var as compromised.
| Done | Priority | Secret / Credential | Stored In | Action |
|---|---|---|---|---|
| ☐ | CRITICAL | OpenAI API Key | Vercel env var + .env | Rotate at platform.openai.com → API Keys |
| ☐ | CRITICAL | Anthropic API Key | Vercel env var + .env | Rotate at console.anthropic.com → API Keys |
| ☐ | CRITICAL | GitHub Personal Access Token | Vercel + local git config | Rotate at github.com → Settings → Developer Settings |
| ☐ | CRITICAL | Cloudflare API Token | Vercel env var | Rotate at dash.cloudflare.com → Profile → API Tokens |
| ☐ | CRITICAL | Database Credentials | Vercel env var (DB_URL) | Rotate DB user password; update connection string in Vercel |
| ☐ | HIGH | n8n Webhook Secret(s) | Vercel / n8n config | Regenerate webhook URLs in n8n; update any consumers |
| ☐ | HIGH | Vercel Account Password | Vercel login | Change at vercel.com → Account → Security |
| ☐ | HIGH | Google OAuth Client Secret | Vercel env var | Rotate at console.cloud.google.com → Credentials |
| ☐ | HIGH | Discord Bot Tokens (Ozzy/Mercy/Scout) | Vercel / Discord Dev Portal | Regenerate at discord.com/developers → Bot → Reset Token |
| ☐ | HIGH | Stripe / Payment Keys | Vercel env var (if any) | Rotate at dashboard.stripe.com → Developers → API Keys |
| ☐ | MEDIUM | NPM Auth Token | GitHub Actions / .npmrc | Rotate at npmjs.com → Access Tokens |
| ☐ | MEDIUM | Expo / EAS Token | Pop Off CI/CD | Rotate at expo.dev → Account → Access Tokens |
| ☐ | MEDIUM | Any JWT Signing Secret | Vercel env var | Regenerate and redeploy; invalidates all active sessions |
| ☐ | MEDIUM | SendGrid / Email API Key | Vercel env var (if any) | Rotate at sendgrid.com → Settings → API Keys |
Section 2 — Vercel Account Hardening
| Step | Action | Detail |
|---|---|---|
| 1 | Check for direct notification | Log into vercel.com — if you received a breach notification email you are in the confirmed affected subset. If not, still proceed with rotation. |
| 2 | Audit env vars — mark sensitive | Dashboard → Project → Settings → Environment Variables. For each secret: click Edit → toggle 'Sensitive' ON. Any var not marked sensitive was readable to the attacker. |
| 3 | Check Vercel activity log | Dashboard → Settings → Activity. Look for anomalous API calls, bulk enumeration, or access from unexpected IPs in April 2026. |
| 4 | Enable 2FA / Passkey | Account → Security → Two-Factor Authentication. Use an authenticator app or passkey. Do NOT rely on SMS alone. |
| 5 | Check Google OAuth for Context.ai | Go to admin.google.com → Security → API Controls → Third-Party App Access. Search for the Context.ai OAuth Client ID. Revoke if found. |
| 6 | Review team member access | Settings → Members. Remove any stale invites or accounts you don't recognize. Confirm MFA is on for all members. |
| 7 | Redeploy all affected projects | After rotating env vars, trigger a fresh deploy on atlantisits.ai, .co, .info, engine, ops, docs, IceBreakrz. Confirm new vars are live. |
Section 3 — Downstream System Checks
Even if Vercel confirms you're not in the direct hit list, check these systems for anomalous activity:
| Done | System | What to Check | Why It Matters |
|---|---|---|---|
| ☐ | GitHub | Settings → Security Log — look for unrecognized pushes, repo forks, or token usage | GitHub tokens in Vercel env vars could grant repo write access |
| ☐ | Cloudflare | Audit Log → check for DNS changes, WAF rule edits, or token usage from unknown IPs | All atlantisits.* domains route through Cloudflare |
| ☐ | OpenAI / Anthropic | Check API usage dashboards for unexpected token consumption or model calls | API key theft = direct cost and potential data exfil via prompt injection |
| ☐ | Discord (Ozzy / Mercy / Scout bots) | Discord Dev Portal → check bot token activity; confirm bots not used to relay commands | Bot tokens stored in Vercel env vars are in scope for this incident |
| ☐ | Forgejo / n8n (local + VPS) | Review n8n workflow logs for unexpected triggers; confirm Forgejo access logs look clean | n8n webhook secrets may be referenced in Vercel-connected workflows |
Section 4 — Post-Incident Hardening (V19 Items)
Pin these to the memory file and schedule before VPS deployment (original target: first week of May 2026):
- Mark ALL Vercel env vars as Sensitive going forward — no plaintext secrets ever stored unencrypted
- Add a pre-deployment secret audit step to SOP-003 (Pre-Upgrade Backup/Rollback)
- Create SOP-006: Credential Rotation Procedure — document rotation cadence for all Atlantis services
- Evaluate Doppler or HashiCorp Vault for centralized secrets management (especially for VPS Phase 1 stack)
- Before Hetzner/Hostinger VPS go-live: audit all env vars across Forgejo, n8n, NTFY, Nextcloud configs
- Enable Vercel Security Bulletin subscription — vercel.com/kb/bulletin to receive future incident alerts
- Scout intel task: monitor BreachForums / HaveIBeenPwned API for Atlantis domain email exposure
- Rotate credentials on a defined cadence: API keys 90 days, DB passwords 180 days, bot tokens on any personnel change
Sign-Off
| Completed by | _____ |
| Date | ___ |
| Verified by (Maranda / CFO) | _____ |
| Date | ___ |
Document Reference: INC-003 | Relates to: SOP-003, SOP-005 | Issued by: Ozzy (Claude / Atlantis ITS)
Confidential — internal use only. This document references rotation status for live credentials; treat its content with the same sensitivity as the secrets it tracks.