Das KI-Cloud-Unternehmen Vercel wurde verletzt, nachdem ein Mitarbeiter dem KI-Tool uneingeschränkten Zugriff auf Google Workspace gewährt hatte – Hacker forderte 2 Millionen US-Dollar für gestohlene Daten
https://www.tomshardware.com/tech-industry/cyber-security/vercel-breached-after-employee-grants-ai-tool-unrestricted-access-to-google-workspace
5 Kommentare
To be fair, falling for a Roblox virus and getting the whole company ransomware’d is probably the closest AI has come to being an actual employee since its inception
the pattern here is consistent with how a lot of AI-related breaches happen: it’s not the AI doing something clever, it’s someone granting broad access because scoping it properly felt like friction.
„give the AI tool access to your workspace“ is becoming the new „give the contractor admin so they can get their work done.“ same underlying problem.
the harder version is that most users have no way to evaluate whether the access an AI tool is asking for is actually necessary for what it claims to do. the ask is usually framed broadly and accepting it is the path of least resistance. least privilege feels like overhead until it’s the thing that would have stopped a M ransom demand.
Damn that’s where I have my website hosted lol
Anyone know what this means for Vercels very common `ai` npm package? Should we be skipping any recent version and waiting for a package that they sign with new keys?
The article title is click bait asf. The employee was using a tool that got compromised and the company that made the tool didn’t let anyone know that oauth tokens were compromise as well.
So because the tool was already verified for the Google account the hacker was able to break in and go into vervets network.
It’s not some case of oh stupid dev using AI.
Also vercel is a hosting company not an AI company