# The Dodo Digest: The AI Tool You Trusted Last Week Just Got Hacked > A Roblox hack script led to a Vercel-adjacent breach, exposing how AI tools expand the attack surface. We break down why security is now a system-level problem and what we've shipped to keep payments reliable and trusted. - **Author**: Rishabh Goel - **Published**: 2026-04-24 - **Category**: Newsletter - **URL**: https://dodopayments.com/blogs/newsletter-april24 --- **TL;DR:** - A single compromised credential led to a breach involving Vercel, not through code, but through trust. - As AI tools grow, so does the attack surface -- security is now a system-level problem. - Payments make this even more critical, because trust and data integrity directly impact revenue. - We continuously strengthen our systems to reduce risk across the entire payment lifecycle. - We've also rolled out improvements recently, and there's something bigger coming next. **Hello everyone,** I came across a tweet earlier this week that caught my attention. Apparently, the Vercel incident didn't start with a direct attack at all. It started somewhere upstream. An employee at a company Vercel depends on downloaded a Roblox hack script on their work laptop. That script turned out to contain an info stealer, which ended up extracting OAuth tokens and eventually being used to access connected systems. At first, it sounds almost absurd. But the more you think about it, the more uncomfortable it gets. This wasn't a sophisticated exploit targeting infrastructure. It was a simple action, taken in the wrong place, that quietly moved through a chain of trust until it reached something much larger. And that's what stood out. ## The Signal What happened here isn't an isolated incident. It's a pattern that's becoming more common as software becomes more interconnected. In this case, the breach didn't come from directly attacking Vercel. It came through a third-party AI tool that had been granted broad access permissions. Once that tool was compromised, it became a bridge into other systems. This is what modern attacks look like. They don't break through the front door. They move through connected systems, permissions, and integrations that were designed for convenience. And this is where the real shift is happening. For a long time, security was treated as a perimeter problem -- protect your system, secure your code, control access. But in an AI-driven ecosystem, where tools constantly connect to each other, the perimeter doesn't really exist anymore. Every integration expands your attack surface. Every permission granted is a potential entry point. The more powerful these systems become, the more fragile trust becomes. And unlike performance issues, security failures don't degrade gradually. They fail all at once. ## How To Think About This Here's how to approach this if you're building in this environment: 1. **Treat access as a liability, not just a feature.** Every API key, OAuth permission, or integration adds convenience, but it also introduces risk. Access should be scoped tightly and revisited often, not granted broadly and forgotten. 2. **Assume breaches will happen somewhere in the chain.** You may secure your system well, but you can't control every external dependency. Design your system with the assumption that something upstream or downstream may get compromised. 3. **Minimize blast radius.** If something goes wrong, the damage should be contained. This means isolating systems, limiting permissions, and avoiding single points of failure that expose everything at once. 4. **Monitor continuously, not periodically.** Security is not a one-time setup. It's an ongoing process. Logs, alerts, and anomaly detection matter more than static configurations. 5. **Build for trust, not just functionality.** In systems like payments, reliability isn't enough. Users trust you with sensitive data, and that trust is fragile. Security isn't just protection -- it's part of the product experience. ## What This Means for Payments This becomes even more important when payments are involved. Because payments are not just another feature in your system. They sit at the intersection of money, identity, and compliance. A failure here doesn't just affect functionality -- it affects trust, revenue, and in many cases, legal exposure. If a payment system is compromised, the impact isn't isolated. It cascades across users, transactions, and business operations. That's why security in payments isn't optional or reactive. It has to be built into the system from the ground up. ## A Parallel Shift Around the same time, another piece of news caught my attention. SpaceX is now working closely with Cursor, with an option to acquire the company for a massive valuation. What stood out here wasn't just the number -- it was the signal. AI tools are becoming deeply embedded into how critical systems are built and operated. The same tools that improve productivity are now part of the core development workflow. That makes them incredibly powerful. But it also makes them part of the trust chain. Which means the same question applies everywhere: Not just _how well does this work?_ But _how much do you trust it inside your system?_ ## What We Shipped This is something we take very seriously. When you're building payment infrastructure, security and reliability can't be treated as one-time setups. They have to evolve continuously alongside the system itself. On one side, we've focused on making the system more resilient in real-world scenarios, especially around how failures are handled and recovered. We introduced [abandoned cart recovery](https://docs.dodopayments.com/changelog/v1.94.0#1-abandoned-cart-recovery), helping bring users back into the flow when they drop off, and [subscription dunning](https://docs.dodopayments.com/changelog/v1.94.0#2-subscription-dunning), which automatically retries failed payments and recovers revenue that would otherwise be lost. At the same time, a big part of this is making sure the system itself is dependable at all times. Our infrastructure is designed to maintain consistent uptime, so payments continue to go through without disruption when it matters most. Alongside that, we've built in **real-time fraud detection** to identify and block suspicious transactions before they happen, and maintain [PCI compliance](https://docs.dodopayments.com/miscellaneous/subscription-migration#pci-dss-compliance-verification) to ensure all payment data meets the highest security standards. Because in payments, it's not just about enabling transactions. It's about making sure they go through, securely, reliably, and every single time. And we're continuing to build in this direction. We have some exciting updates coming next -- we'll share more in the next newsletter. ## One Last Thought The Vercel incident wasn't about a single mistake. It was about how interconnected systems behave when trust breaks at one point. As software becomes more composable and AI-driven, security is no longer something you layer on top. It becomes part of how the system is designed. Because in the end, the strongest systems won't just be the ones that work well. They'll be the ones you can trust to keep working. And before we wrap, here's the 4th and last riddle for this week's edition: _"I'm the final moment, where hesitation meets action. One click, one second, one feeling, and everything changes._ _**What am I?**"_ Got the answer? Keep it to yourself till the last edition of this month. Get them all right, and there's a reward waiting. Also, join our loving [Discord community](https://discord.gg/dodo-payments-1305511580854779984)! Best, Rishabh Goel Co-Founder, **Dodo Payments** --- - [More Newsletter articles](https://dodopayments.com/blogs/category/newsletter) - [All articles](https://dodopayments.com/blogs)