Security Incident Advisory (Your Project Is Not Affected)

Summary

Before anything else: there is no known security risk to your project, and no action is required on your part.

On April 19, 2026, the company we use for hosting applications identified and disclosed a security incident affecting a limited subset of their customers. They individually notified any customers whose accounts were directly affected, and none of our projects were affected. Out of an abundance of caution, they recommended that all customers rotate their environment variable “keys,” and we're completing that work over the coming days.

This post exists to give you context, explain what's happening in plain language, and make clear what we're doing about it so you don't have to wonder.

What happened

Our hosting provider, Vercel, is one of the most widely trusted platforms in the industry, used by companies like Nike, Under Armour, Notion, and The Washington Post. As part of their standard security practices, they identified unauthorized access to certain internal systems, traced it to a compromised third-party tool used by one of their employees, and disclosed the incident publicly. This kind of transparent, timely disclosure is exactly what you'd want from a responsible vendor, and a reason we continue to recommend them for client projects.

While inside their systems, the attacker could view certain configuration values (called “environment variables” or “keys”) that the platform stores for customer projects. The affected customers were contacted individually.

What are “keys”?

Think of them as passwords that let different software services talk to each other. A typical project might use one key to connect to its database, another to connect to an AI service like Anthropic, another to send emails, and so on. If someone obtained those keys, they could in theory use them to access the connected services, which is why rotation (changing the “passwords”) is the standard response whenever there's even a possibility of exposure.

What this means for your project

• There is no known exposure of your data or credentials.
• We're rotating keys across all projects we manage, following our hosting provider's guidance. This is hygiene, not damage control.
• There is no expected downtime and no action required from you. We'll handle the rotation entirely on our side.

What we're doing to strengthen this going forward

We're using this as an opportunity to upgrade how we manage keys across every project we run. Specifically:

1. Moving all project keys into Doppler, a dedicated secrets management platform. This makes rotations faster, gives each project a single source of truth for credentials, and prevents this exact type of situation from impacting us in the future.
2. Enabling a newer platform feature that stores credential values in an unreadable format, designed specifically to protect against the exposure pattern seen in this incident.
3. Standardizing a key rotation cadence so rotations happen regularly as a matter of course, not only in response to incidents.

None of these changes require action from you or change your costs. The rotation work itself does come out of this month's allocated hours, the same way any maintenance or platform work does. We mention all this only so you can see that the response is structural, not just reactive.

Our broader take

Incidents like this are uncomfortable but not unusual. Every major platform will eventually disclose something. The meaningful signal is how they respond, not whether it happens. Our hosting provider caught this, disclosed it clearly, notified affected customers directly, and has shipped security improvements within days. That's the behavior of a platform we're comfortable continuing to recommend.

If you have any questions about your specific project, please reach out directly. We're always happy to walk through anything here in more detail.