Checkout.com data breach concerns have surfaced after the global payment processor confirmed it was recently targeted by the cybercrime group ShinyHunters. The company reported that attackers gained access to documents stored in an old third-party cloud environment, though its core payment processing systems and sensitive financial information remain unaffected.
According to early findings, the Checkout.com data breach occurred when ShinyHunters accessed a legacy storage system last used in 2020. The environment contained internal operational files and merchant onboarding documents.
Checkout.com confirmed that the system had not been properly decommissioned, enabling unauthorized access.
Legacy Cloud System at Center of Checkout.com Data Breach
The Checkout.com data breach affects an estimated 25% of the company’s current merchant base, although the compromised data does not include payment card numbers, merchant bank funds, or any information linked to real-time transaction processing.
In its statement, Checkout.com emphasized that its live payment platform was completely isolated from the targeted system. As a result, no transactional services, payment flows, or merchant funds were put at risk.
The Checkout.com data breach came to light when ShinyHunters contacted Checkout.com last week with an extortion demand. Instead of complying, the company publicly announced that it would not pay the ransom.
Checkout.com stated that it will donate the equivalent amount requested by the criminals to two major institutions known for cybersecurity research: Carnegie Mellon University and the University of Oxford’s Cyber Security Center.
The company said the decision aims to turn a criminal attack into an opportunity to strengthen the broader security community.
CTO Takes Responsibility and Calls for Transparency
Mariano Albera, Chief Technology Officer at Checkout.com, issued a detailed response acknowledging the company’s responsibility in failing to fully retire the outdated cloud storage system.
He confirmed that the breach stemmed from a system “used in 2020 and prior years” and reiterated that no sensitive financial data was touched. Albera apologized for the concern caused to merchants and partners, stating:
- “This was our mistake, and we take full responsibility.”
- “We regret that this incident has caused worry for our partners and people.”
- “Security, transparency and trust are the foundation of our industry.”
Albera stressed that Checkout.com is committed to informing any potentially affected partners and is cooperating with law enforcement and relevant regulators as part of a broader investigation.
Company Strengthens Commitment to Merchant Protection
While the Checkout.com data breach involved non-critical information, the company acknowledged the importance of addressing lapses tied to legacy technology. It also promised full support to any merchant seeking clarification or assistance.
Checkout.com noted that its support channels remain open and that account representatives are proactively reaching out to anyone whose data may have been stored in the legacy system.
The organization said this incident will also influence future technology governance processes, particularly those tied to sunsetting outdated infrastructure and third-party storage environments.
Checkout.com says its choice to donate the ransom amount is intended as a symbolic yet meaningful stance against cyber extortion. By funding academic cybersecurity research, the company aims to help strengthen defenses not just for itself but for the wider digital ecosystem.
The company stated that it will continue prioritizing transparency, accountability, and stronger security investments to ensure such incidents do not recur.
