Twenty days after Vercel disclosed the OAuth-token breach traced to Context.ai's compromise of a Vercel employee's Google Workspace account, the company's last public statement on the incident is the same statement it issued April 21. [1] The cadence is the story. Twenty days of silence on a breach in which an upstream OAuth integration was used to extract customer-tenant data from one of the AI cycle's most-deployed deployment platforms is, on infosec calendar standards, the longest no-update window of any 2026 cloud breach.

The ShinyHunters posting on the listed forum — which the Hacker News reporting verified through the screenshot trail — put the data at $2 million for the full set, with samples published as proof. The samples reportedly include API keys, environment variables, and customer-tenant project metadata. None of the affected customers, by Sunday morning, had received a direct notice from Vercel. The notification void is itself the legal hook the Class Action U solicitation has used. The paper's Saturday read named the no-update cadence as the incident; Day 20 with no update has now made that frame literal.

Day 11 of the Class Action U solicitation puts the firm at the threshold most plaintiff-side cyber practices treat as the trigger for a complaint filing. The solicitation reportedly has more than 800 customer signatories. The firm's typical filing window after that threshold is between five and seven business days, which would put a complaint on file before the end of the week. Vercel's silence has, on this trajectory, held until the moment a complaint forces the company to file an 8-K.

The Context.ai upstream — the actual breach vector — has issued one further statement, a corporate blog post on April 28 acknowledging the OAuth-token compromise and announcing token-rotation across the Context.ai customer base. The Vercel-side equivalent has not appeared. The structural asymmetry in disclosure is the one the plaintiff's bar will price.

-- THEO KAPLAN, San Francisco