London-based payment processor Checkout.com has acknowledged a data breach by the notorious hacking group ShinyHunters, confirming unauthorized access to a legacy cloud storage system.
In a public statement released on November 12, 2025, the company’s Chief Technology Officer, Mariano Albera, detailed the incident, emphasizing that no sensitive financial data was compromised.
Instead of paying the demanded ransom, Checkout.com announced it would donate an equivalent amount to cybersecurity research at Carnegie Mellon University and the University of Oxford’s Cyber Security Center.
The breach targeted an outdated third-party cloud file storage platform, last used for internal operations and merchant onboarding before 2020.
According to Albera, attackers exploited improper decommissioning of this system, a common misconfiguration vulnerability in cloud environments.
In technical terms, legacy cloud buckets often hosted on services like Amazon S3 can remain accessible if access controls, such as IAM (Identity and Access Management) policies, are not entirely revoked during decommissioning.
This exposes metadata, logs, or stored files via public or weakly authenticated endpoints, allowing threat actors to enumerate and exfiltrate data without advanced exploits, such as zero-day vulnerabilities.
ShinyHunters, a group linked to multiple high-profile breaches, including those at AT&T and Ticketmaster, contacted Checkout.com last week, claiming possession of stolen data.
The compromised files reportedly include operational documents and onboarding materials from affected merchants, estimated to impact less than 25% of Checkout.com’s current customer base.
Crucially, the hackers never gained entry to the company’s live payment processing infrastructure, which operates on segregated, hardened systems compliant with PCI DSS (Payment Card Industry Data Security Standard) Level 1.
No merchant funds, customer card numbers, or transaction details were accessed, as these are handled through isolated APIs and encrypted vaults, not the legacy storage.
Response and Industry Impact
Upon discovery, Checkout.com took swift action, launching an internal investigation to assess the scope of the breach.
The company is notifying impacted merchants, coordinating with law enforcement agencies, such as the FBI given ShinyHunters’ international operations and relevant regulators, such as the UK’s Information Commissioner’s Office (ICO).
Albera admitted the decommissioning oversight as a “mistake” the firm wholly owns, highlighting a broader industry lesson: legacy systems often harbor “zombie” assets that evade automated scans, requiring manual audits and tools like cloud security posture management (CSPM) platforms for detection.
By refusing to pay the ransom, Checkout.com stands against the increasingly common extortion tactics used by ransomware and data-theft groups.
ShinyHunters typically leverages dark web forums to auction stolen data, pressuring victims through proof-of-concept leaks.
The donation to academic research underscores a proactive stance, funding studies into threat actor profiling, AI-driven anomaly detection, and supply chain defenses areas vital, given that cloud misconfigurations account for over 80% of breaches, according to recent Verizon DBIR reports.
This incident arrives amid rising attacks on fintech firms, where groups like ShinyHunters exploit cloud sprawl for quick gains.
Checkout.com reaffirmed its commitment to transparency, urging merchants to contact support via standard channels.
As the digital economy grows, such events remind stakeholders that robust decommissioning protocols and zero-trust architectures are essential to safeguarding against evolving cyber threats.
