Payment Processor Checkout.com Breached by ShinyHunters via Legacy Cloud Storage; Refuses Ransom and Donates to Cybersecurity Research
Checkout.com Rejects Ransom After ShinyHunters Breach, Donates to Research
Impact Scope
Affected Companies
Industries Affected
Related Entities(initial)
Threat Actors
Organizations
Other
Full Report(when first published)
Executive Summary
Global payment processor Checkout.com has confirmed it was the target of a data breach by the notorious ShinyHunters cybercrime group. The attackers gained access to a legacy cloud file storage system containing internal operational documents. In a notable departure from typical incident responses, Checkout.com has publicly refused to pay the ransom demanded by the attackers. Instead, the company has pledged to donate the equivalent sum to the cybersecurity research centers at Carnegie Mellon University and the University of Oxford. The company's investigation found that its core payment processing environment, merchant funds, and payment card data were not compromised, as the breach was contained to an isolated, outdated system.
Threat Overview
The breach was initiated by ShinyHunters, a well-known threat group responsible for numerous high-profile data breaches, including attacks on Microsoft and Ticketmaster. The group's primary motivation is financial, typically achieved by stealing data and either selling it on dark web forums or extorting the victim company. In this case, the attackers identified and exploited a misconfiguration in Checkout.com's asset inventory: a legacy third-party cloud storage system that was last used in 2020 but had not been properly decommissioned. This oversight provided an entry point for the attackers to access and exfiltrate data.
Technical Analysis
The root cause of the breach was a failure in asset management and decommissioning processes. The attack vector was not a sophisticated zero-day, but rather the exploitation of a forgotten, insecure asset.
- Attack Vector: Access to an insecure, legacy cloud file storage system.
- Data Exposed: Internal operational documents and merchant onboarding materials. The data of less than 25% of the current merchant base may have been affected.
- Data Not Exposed: Core payment platform, merchant funds, payment card numbers (PCI data).
This incident highlights a common but critical security gap: organizations losing track of their digital assets, especially in complex, multi-cloud environments. Such 'shadow IT' or legacy systems often fall outside the scope of regular security monitoring and patching, making them prime targets for attackers.
MITRE ATT&CK Techniques
T1530 - Data from Cloud Storage Object: The primary technique used by ShinyHunters to access and exfiltrate data from the misconfigured cloud storage.T1580 - Cloud Infrastructure Discovery: Attackers likely scanned for and discovered the exposed cloud asset as part of their reconnaissance.T1657 - Financial Theft: While direct financial theft was not achieved, the ransom demand falls under this category, representing the attacker's ultimate goal.
Impact Assessment
While the breach did not compromise the most sensitive financial data, the impact is still significant:
- Operational Impact: The company has had to dedicate resources to investigation, remediation, and merchant notification, causing operational friction.
- Reputational Impact: A data breach at a payment processor can damage trust. However, Checkout.com's transparent communication and its decision to donate the ransom amount may mitigate some of this damage and generate positive sentiment.
- Regulatory Scrutiny: The company is collaborating with law enforcement and regulatory bodies, which could lead to investigations and potential fines depending on the nature of the exposed data and applicable regulations like GDPR.
Detection & Response
Detecting such an incident relies on comprehensive visibility into all cloud assets.
- Cloud Security Posture Management (CSPM): Use CSPM tools to continuously scan cloud environments for misconfigurations, public-facing storage objects, and inactive but provisioned resources.
- Data Loss Prevention (DLP): Implement DLP solutions to monitor and alert on large or unusual data movements from cloud storage, which could indicate exfiltration.
- Asset Inventory: Maintain a complete and up-to-date inventory of all IT and cloud assets. This is foundational to security and a key D3FEND principle related to
System Configuration Permissions.
Checkout.com's response sets a strong precedent. By refusing to pay the ransom, they avoid funding criminal activity. By donating the funds, they turn a negative event into a positive contribution to the security community, reinforcing their commitment to fighting cybercrime.
Mitigation
To prevent similar breaches, organizations must focus on fundamental cybersecurity hygiene:
- Asset Management and Decommissioning: Implement strict processes for tracking all assets throughout their lifecycle. When a system or service is retired, ensure all associated data is securely deleted and the infrastructure is fully de-provisioned.
- Cloud Access Control: Enforce the principle of least privilege for all cloud resources. Ensure that storage objects are not publicly accessible by default and that access is restricted to authorized users and services.
- Regular Audits: Conduct periodic audits of cloud environments to identify and remediate abandoned or misconfigured assets.
- Vendor Risk Management: When using third-party cloud services, ensure their security posture meets your organization's standards and that clear lines of responsibility are established.
Timeline of Events
Article Updates
November 16, 2025
Checkout.com reiterates breach details, confirms refusal to pay extortion, and emphasizes no sensitive financial data was compromised.
Update Sources:
MITRE ATT&CK Mitigations
Properly configuring cloud storage permissions to prevent public access is a fundamental mitigation against this type of attack.
Mapped D3FEND Techniques:
Regularly auditing cloud environments for legacy systems and misconfigurations can identify and eliminate insecure assets before they are exploited.
Implementing a robust asset lifecycle management process, including secure decommissioning of retired systems, is crucial.
D3FEND Defensive Countermeasures
In the context of the Checkout.com breach, Application Configuration Hardening must be applied rigorously to all cloud assets. This involves establishing a baseline secure configuration for all cloud services, especially storage. For example, all S3 buckets or Azure Blob storage containers should be configured to 'block public access' by default. This policy should be enforced programmatically using Infrastructure as Code (IaC) templates and validated continuously with Cloud Security Posture Management (CSPM) tools. Furthermore, a critical part of this hardening is a formal decommissioning process. When a system like the legacy file storage server is retired, the process must include not just shutting down the compute instance but also securely wiping and deleting the associated storage and revoking all access keys. This prevents the exact scenario that led to this breach.
To proactively detect attackers like ShinyHunters who scan for exposed assets, organizations can strategically place Decoy Objects, or honeypots, in their cloud environments. This could involve creating a publicly accessible S3 bucket named something enticing like 'prod-backup-credentials' or 'customer-data-archive'. This bucket would contain fake but realistic-looking files (e.g., 'aws_keys.csv', 'user_database.sql'). Any interaction with this decoy bucket—such as a list, get, or head request—would be an immediate, high-fidelity alert of malicious reconnaissance. This technique would not have prevented the Checkout.com breach on its own, but it provides an early warning system that an attacker is probing the environment, allowing security teams to respond before a real, forgotten asset is found and exploited.
Sources & References(when first published)
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats
🎯 MITRE ATT&CK Mapped
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
🧠 Enriched & Analyzed
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
🛡️ Actionable Guidance
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
🔗 STIX Visualizer
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
⚡ Sigma Generator
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.