Vercel's customer page is not an incident report. It is a scale document.

Thursday's paper warned that Vercel customers include OpenAI, Cursor and Pinterest, while also saying the second-wave bulletin confirmed an OAuth supply-chain problem. Friday's correction is discipline: public customer presence is not customer-specific compromise.

Vercel's own bulletin identifies the chain as a Context.ai Google Workspace OAuth-app compromise that let an attacker move from a Vercel employee account into internal systems. [1] LangProtect and Trend Micro both describe the same lesson: third-party AI tools can create enterprise OAuth exposure that ordinary perimeter defenses do not see. [2] [3] TechCrunch's original report remains useful because it pins the company response to customer-data theft and remediation, not rumor. [4]

The platform-risk story is therefore larger than any one named customer and narrower than X's worst claims. The risk is that modern developer platforms hold deployment pathways for companies whose own security teams may not control the employee OAuth grant that opened the door.

The customer list makes the breach important. It does not make every customer breached. That distinction is not pedantry. It is the line between platform-risk reporting and laundering a rumor through a famous logo.

-- THEO KAPLAN, San Francisco