Hackers Leak Over 24M User Records From Vimeo’s Livestream

Well this is lovely. Just absolutely lovely news to wake up to on a random Tuesday. Over 24 million user records from Vimeos Livestream platform have been scraped and dumped onto the dark web for literally anyone to download. Were talking 7 gigabytes of user data just… out there now. Free for the taking. Available to every scammer, identity thief, and malicious actor with an internet connection and the basic knowledge of how to navigate shady forums.

According to security researchers who discovered the breach, the leaked data includes pretty much everything youd expect from a registration database – email addresses, usernames, locations, profile information, the works. The kind of information that makes identity theft and phishing attacks way easier. The kind of package that bad actors dream about because it connects real people to real accounts with verified details.

Heres the annoying part though. Vimeo is calling this “data scraping” rather than a breach, which is technically different I guess but honestly feels like splitting hairs when 24 million peoples information is floating around the internet waiting to be exploited. This isnt even the first time weve seen big tech downplay security incidents that affected millions of users. Its like a script they all follow. “It wasnt a breach it was unauthorized access.” “The data was publicly available anyway.” “We take security seriously.” Sure you do.

What Actually Got Leaked Though

The database reportedly contains usernames, email addresses, hashed passwords, location data, and various profile information. Basically if you ever created a Livestream account before Vimeo acquired it, your data might be in there. And “might” is doing a lot of work in that sentence because 24 million records is a LOT of people. Thats more than the population of Florida. Thats nearly as many people as live in Australia. All their account info, compiled neatly for criminals.

Vimeo put out a statement saying their investigation “determined that neither the Livestream platform nor existing security controls were compromised” and that the scraped information was “already publicly available.” Which okay sure but having it all compiled in one downloadable package is a VERY different situation than scattered public profiles that would take forever to collect manually. The convenience factor matters here. A lot.

Its like saying “well technically all those houses have street addresses that anyone could drive by and see.” True! But thats different from handing someone a detailed map of every house, who lives there, their email, and other personal info. Context matters. Aggregation matters. And companies love to pretend it doesnt when theyre trying to minimize a PR disaster.

What You Should Actually Do About This

If you ever had a Livestream account – and this could be from years ago, before Vimeo even bought them – change your password. Like now. Dont finish reading this article first, just go do it. Even if the passwords in the dump are hashed, determined attackers can sometimes crack them especially if you used a weak password (and lets be honest, most people did back then). And if you used that same password anywhere else – which you shouldnt do but we all know people do because remembering 50 different passwords is genuinely annoying – change those too.

Also keep an eye out for phishing emails over the next few months. Now that scammers have a nice verified list of email addresses belonging to people who use video streaming services, expect targeted spam and scam attempts. Emails that look like theyre from Vimeo asking you to verify your account. Messages claiming theres a problem with your subscription. The usual stuff but now targeted at people they KNOW have accounts.

The usual advice applies – dont click suspicious links, verify anything that asks for credentials by going directly to the site rather than through email links, maybe set up credit monitoring if youre paranoid about identity theft. Its exhausting that we have to do all this because companies cant keep our data safe, but here we are. This is the world we live in now.