A dark web listing went up yesterday. $2M asking price for Vercel's source code, database, and GitHub tokens. Vercel is a $9.3B company. They power millions of production sites including probably yours. How did attackers get in? One employee used a small third-party AI tool. That tool had Google Workspace OAuth access. Tool got compromised. Attackers walked straight into Vercel's internal systems. 580 employee records walked out as proof of access. This is the new attack surface nobody is talking about. Every AI tool your team connected to Gmail, Drive, Slack, or your CRM is a potential backdoor. Three things to do today: Go to Google Workspace Security, API Controls, App Access Control and audit every third-party app with broad permissions. Go to your personal Google account Security settings and revoke any third-party app you are not actively using. Rotate any API keys or tokens not stored in a proper secrets manager. We learned this then protected our own servers. The attack vector is always the thing you forgot about.