Funny how the headline tries to spin this as an env vars issue.

By far the biggest issue is being able to access the production environment of millions of customers from a Google Workspace. Only a handful of Vercel employees should be able to do that with 2FA if not 3FA.

▲

jwpapi 9 hours ago | parent [-]

No one should be, why are the enverionmant variables not encrypted itself and the encryption key is stored with your oauth provider ?

	▲	progbits 8 hours ago \| parent [-]
		Vercel runtime must be able to access the values (so customer's apps can use them). But nobody else should ever be able to. This is the typical amateur hour security but on the other hand, who was naive enough to expect any better from vercel?