Full Report
UK financial technology company Checkout announced that the ShinyHunters threat group has breached one of its legacy cloud storage systems and is now extorting the company for a ransom. [...]
Analysis Summary
# Incident Report: Checkout.com Legacy Cloud Storage Breach by ShinyHunters
## Executive Summary
Checkout.com was targeted by the ShinyHunters threat group, who gained unauthorized access to a legacy, un-decommissioned third-party cloud storage system. This breach resulted in the exfiltration of merchant data dating back to 2020 and earlier. Checkout.com refused to pay the ransom, opting instead to donate the requested sum to cybersecurity research institutions, while immediately moving to strengthen its security posture.
## Incident Details
- Discovery Date: Last week (prior to November 14, 2025)
- Incident Date: Sometime before the contact date, involving data from 2020 and prior years.
- Affected Organization: Checkout.com
- Sector: Financial Technology (FinTech) / Payment Processing
- Geography: UK (Headquarters mentioned)
## Timeline of Events
### Initial Access
- Date/Time: Not specified, but access occurred via a legacy third-party cloud file storage system used in 2020 and prior years.
- Vector: Gaining unauthorized access to an un-decommissioned third-party legacy system.
- Details: The specific initial vector (e.g., phishing, vulnerable service) used by ShinyHunters is **not disclosed**.
### Lateral Movement
- Details: **Not disclosed** in the provided context. The attack appears to have been focused on accessing and exfiltrating stored data within the compromised legacy system.
### Data Exfiltration/Impact
- Details: Data related to a significant portion of its merchant base (estimated less than 25% of current merchants, plus past customers) was exfiltrated. Data types include internal operational documents and onboarding materials.
### Detection & Response
- Date/Time: "Last week" prior to November 14, 2025, when Checkout.com was contacted by ShinyHunters.
- Details: Investigation confirmed unauthorized access to the legacy cloud system. The company decided not to pay the ransom.
## Attack Methodology
- Initial Access: Compromise of a **legacy third-party cloud file storage system** that was not properly decommissioned.
- Persistence: **Not disclosed**.
- Privilege Escalation: **Not disclosed**.
- Defense Evasion: **Not disclosed**.
- Credential Access: **Not disclosed**.
- Discovery: **Not disclosed**, though typical ShinyHunters methods include phishing, OAuth attacks, or social engineering.
- Lateral Movement: **Not disclosed**.
- Collection: Gathering of merchant data (operational documents, onboarding materials).
- Exfiltration: Data exfiltration from the cloud storage system.
- Impact: Extortion attempt.
## Impact Assessment
- Financial: Ransom demand was made (amount not specified). Checkout.com decided to forgo payment. Costs related to remediation and security upgrades are expected.
- Data Breach: Merchant data from 2020 and earlier, including internal operational documents and onboarding materials, affecting less than 25% of current merchants and past customers.
- Operational: No information provided regarding significant operational disruption, focusing instead on the data breach risk.
- Reputational: Public announcement confirming the breach and subsequent refusal to pay the ransom.
## Indicators of Compromise
- Network indicators: None provided.
- File indicators: None provided.
- Behavioral indicators: Exploitation of older, un-decommissioned cloud storage infrastructure.
## Response Actions
- Containment measures: Investigation was launched immediately upon contact.
- Eradication steps: The specific legacy third-party system was likely taken offline or secured, and the company committed to strengthening security measures.
- Recovery actions: Commitment to future security enhancements. Response strategy included **refusing to pay the ransom**. Instead, the intended ransom sum will be donated to Carnegie Mellon University and the University of Oxford Cyber Security Center.
## Lessons Learned
- Legacy Systems Management: Failure to properly decommission and secure older, third-party cloud storage systems poses a significant, exploitable risk even years later.
- Ransomware/Extortion Protocol: A defined policy to refuse payment when sensitive historical data is exposed.
## Recommendations
- **Asset Inventory and Decommissioning:** Implement rigorous auditing and immediate decommissioning protocols for all legacy cloud storage and third-party services.
- **Supply Chain Security:** Enhance oversight and security requirements for all third-party systems integrated with core or historical data repositories.
- **Threat Intelligence Integration:** Monitor known threat actors like ShinyHunters for emerging TTPs, especially since they are known for tactics like phishing and OAuth attacks (though not explicitly used here).