Full Report
Our statement detailing an incident concerning a legacy system. We outline our commitment to transparency, accountability, and planned investment in cyber security research. Last week, Checkout.com was contacted by a criminal group known as “ShinyHunters”, who claimed to have obtained data connected to Checkout.com and demanded a ransom. Upon investigation, we determined that this data was obtained by gaining unauthorized access to a legacy third-party cloud file storage system, used in 2020 and prior years. We estimate that this would affect less than 25% of our current merchant base. The system was used for internal operational documents and merchant onboarding materials at that time.
Analysis Summary
# Incident Report: Unauthorized Access to Legacy Cloud Storage System
## Executive Summary
Checkout.com was targeted by the criminal group "ShinyHunters" who demanded a ransom after claiming to have stolen proprietary data. Investigation confirmed unauthorized access to a **legacy, third-party cloud file storage system** used in 2020 and prior years. The incident affected less than 25% of the current merchant base through operational documents and onboarding materials; however, the live payment platform, merchant funds, and card data remained secure. Checkout.com refused to pay the ransom, taking responsibility for the improperly decommissioned legacy system, and announced a donation of the intended ransom amount to cybersecurity research centers.
## Incident Details
- Discovery Date: Last week (prior to November 12, 2025)
- Incident Date: Data access occurred in a system used up to 2020.
- Affected Organization: Checkout.com
- Sector: Financial Technology (FinTech) / Payment Processing
- Geography: Not explicitly stated, implied global operations.
## Timeline of Events
### Initial Access
- Date/Time: System access occurred prior to recent detection/notification, exploiting a vulnerability in a system dating to 2020 or earlier.
- Vector: Unauthorized access to a **legacy third-party cloud file storage system**.
- Details: The system was not decommissioned properly, leading to the exposure.
### Lateral Movement
- *Not explicitly detailed in the provided text.* The focus remains on the initial access vector (the legacy storage system).
### Data Exfiltration/Impact
- Date/Time: Occurred during the compromise window of the dated system.
- Details: Data related to internal operational documents and merchant onboarding materials stored in that legacy cloud system was obtained.
### Detection & Response
- Date/Time: "Last week" (relative to November 12, 2025 publication date).
- Detection Method: Checkout.com was contacted directly by the criminal group "ShinyHunters."
- Response actions taken: Investigation launched, law enforcement and regulators notified, impacted merchants identified and contacted, ransom refused.
## Attack Methodology
- Initial Access: Gaining unauthorized access to an **unsecured, legacy third-party cloud file storage system**.
- Persistence: *Not detailed.*
- Privilege Escalation: *Not detailed.*
- Defense Evasion: *Not detailed.*
- Credential Access: *Not detailed.*
- Discovery: *Not detailed.*
- Lateral Movement: *Not detailed.*
- Collection: Gathering internal operational documents and merchant onboarding materials.
- Exfiltration: Data was exfiltrated from the compromised cloud storage.
- Impact: Exposure of historical operational and onboarding data for a subset of merchants.
## Impact Assessment
- Financial: Ransom demand was made, but the company refused to pay. The stated financial response is a **donation** of the ransom amount to CMU and Oxford Cyber Security Centers.
- Data Breach: Historical internal operational documents and merchant onboarding materials potentially belonging to **less than 25% of the current merchant base**.
- Operational: The live payment processing platform, merchant funds, and card numbers were **not impacted**.
- Reputational: A commitment to transparency (public statement) was made, acknowledging the mistake regarding the legacy system.
## Indicators of Compromise
- *No specific IOCs (IPs, domains, hashes) were provided in the text.*
## Response Actions
- Containment measures: Investigation initiated to determine the scope of the breach.
- Eradication steps: The legacy system's improper decommissioning was identified as the root cause.
- Recovery actions: Working closely with law enforcement and regulators; identifying and contacting all impacted merchants.
## Lessons Learned
- **Proper Decommissioning:** Failure to properly decommission legacy systems (specifically a third-party cloud file storage system used up to 2020) created an avoidable vulnerability. This was acknowledged as the company's mistake.
- **Ransom Refusal:** Commitment to not yielding to criminal extortion.
- **Investment in Security:** Commitment to turning the negative event into a positive investment for the industry by funding cyber security research.
## Recommendations
- Immediately review and securely decommission all deprecated, legacy, third-party cloud storage systems and associated access credentials.
- Enhance auditing processes to ensure that retired infrastructure used for handling sensitive data is completely purged or securely migrated.
- Continue clear and transparent communication with merchants regarding data security posture.