Global payment processing firm Checkout, which operates checkout.com, recently disclosed a data breach orchestrated by the notorious cybercrime group, ShinyHunters. The threat actors gained unauthorized access to one of the company’s legacy third-party cloud storage systems. Following the breach, ShinyHunters contacted Checkout and issued a ransom demand, threatening to publish the stolen data if the payment was not made.
Checkout provides a unified payments API, hosted payment portals, and mobile SDKs, supporting a multitude of payment methods for its clients. Its extensive systems are integrated into some of the world’s largest businesses, including major retailers and tech firms such as eBay, Uber Eats, adidas, IKEA, and Samsung, handling billions in merchandise revenue annually. The company’s comprehensive services also feature fraud detection, identity verification (KYC), and a robust dispute system for its vast global client base.
The compromised system was identified as a legacy file storage platform that had been in use during 2020 and prior years but was not properly decommissioned. The stolen data includes internal operational documents, merchant onboarding materials, and other sensitive information from that period. Checkout estimates that the exposure affects less than 25% of its current merchant base, though the breach also impacts past customers who utilized their services prior to 2021.
ShinyHunters is an international cybercrime organization known for exfiltrating data from large corporations, typically through methods like phishing, OAuth attacks, and social engineering, and subsequently demanding substantial payments to prevent the public release of the information. The group has been involved in several high-profile incidents, including the exploitation of the Oracle E-Business Suite zero-day (CVE-2025-61884) and attacks earlier this year impacting a large number of organizations tied to the Salesforce and Drift platforms.
In response to the extortion attempt, Checkout announced a firm decision not to pay the requested ransom to the criminal group. Instead of complying with the demands, the company stated it will invest in strengthening its security infrastructure. Furthermore, Checkout has pledged to donate the amount of the demanded ransom to the Carnegie Mellon University and the University of Oxford Cyber Security Center to fund research projects focused on combating cybercrime.
Reference:
