Checkout.com was targeted by the cybercriminal group **ShinyHunters** in early November 2025 via a **ransomware attack** exploiting a decommissioned third-party cloud storage system. The breach exposed **internal operational documents and merchant onboarding materials from 2020 and earlier**, affecting **less than 25% of its current merchant base**. While **no live payment systems, merchant funds, or card numbers were compromised**, the incident involved unauthorized access to legacy data. The company **refused to pay the ransom**, instead donating the demanded amount to **Carnegie Mellon University and the University of Oxford Cyber Security Center** to combat cybercrime. Checkout.com emphasized **transparency, accountability, and collaboration with law enforcement**, while contacting impacted customers and regulators. The breach highlighted vulnerabilities in legacy system decommissioning but did not disrupt core financial operations or expose sensitive financial data.
Checkout.com cybersecurity rating report: https://www.rankiteo.com/company/checkout
"id": "CHE3702137111525",
"linkid": "checkout",
"type": "Ransomware",
"date": "6/2020",
"severity": "85",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': 'less than 25% of current '
'merchant base',
'industry': 'fintech',
'name': 'Checkout.com',
'type': 'payment processing company'}],
'attack_vector': 'legacy third-party cloud file storage system (improperly '
'decommissioned)',
'customer_advisories': ['notifications to affected merchants'],
'data_breach': {'data_exfiltration': True,
'sensitivity_of_data': 'moderate (historical operational and '
'onboarding data)',
'type_of_data_compromised': ['internal operation documents',
'merchant onboarding materials']},
'date_detected': '2025-11-01',
'date_publicly_disclosed': '2025-11-01',
'description': 'Checkout.com was targeted by a digital extortion attempt by '
'the threat actor group ShinyHunters in November 2025. '
'Attackers accessed a legacy third-party cloud file storage '
'system that had not been properly decommissioned, exposing '
'internal operation documents and merchant onboarding '
'materials from 2020 and earlier. The company refused to pay '
'the ransom, opting instead to donate the demanded amount to '
'Carnegie Mellon University and the University of Oxford Cyber '
'Security Center. Live payment processing systems, merchant '
'funds, and card numbers were not compromised.',
'impact': {'brand_reputation_impact': 'positive (praised for transparency and '
'refusal to pay ransom)',
'data_compromised': ['internal operation documents',
'merchant onboarding materials (pre-2021)'],
'downtime': 'none (live payment processing systems unaffected)',
'identity_theft_risk': 'none (no card numbers or merchant funds '
'accessed)',
'operational_impact': 'limited (less than 25% of current merchant '
'base affected)',
'payment_information_risk': 'none',
'systems_affected': ['legacy third-party cloud file storage']},
'initial_access_broker': {'entry_point': 'legacy third-party cloud file '
'storage system'},
'investigation_status': 'ongoing (coordinating with law enforcement and '
'regulators)',
'lessons_learned': 'Importance of proper decommissioning of legacy systems, '
'transparency in incident response, and refusal to fund '
'criminal activity through ransom payments.',
'motivation': 'financial extortion',
'post_incident_analysis': {'corrective_actions': ['donation to cybersecurity '
'research',
'enhanced coordination with '
'law enforcement and '
'regulators'],
'root_causes': ['improper decommissioning of '
'legacy cloud storage',
'oversight in third-party system '
'management']},
'ransomware': {'data_exfiltration': True, 'ransom_demanded': True},
'recommendations': ['ensure thorough decommissioning of legacy systems',
'invest in cybersecurity research and collaboration with '
'academic institutions',
'maintain transparency with stakeholders during '
'incidents'],
'references': [{'source': 'TechRadar'}],
'regulatory_compliance': {'regulatory_notifications': True},
'response': {'communication_strategy': ['public apology by CTO',
'transparency in disclosure',
'donation to cybersecurity research '
'centers'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'remediation_measures': ['contacting impacted customers',
'coordinating with regulators']},
'stakeholder_advisories': ['public statement by CTO Mariano Albera',
'contacting impacted merchants'],
'threat_actor': 'ShinyHunters',
'title': 'Checkout.com Ransomware Extortion Attempt by ShinyHunters (November '
'2025)',
'type': ['data breach', 'ransomware extortion attempt'],
'vulnerability_exploited': 'improper decommissioning of legacy cloud storage'}