Global payment processor Checkout.com has disclosed a security breach after the infamous hacking group ShinyHunters infiltrated a decommissioned third-party cloud file storage system. Although the incident exposed internal documents from previous years, the company confirmed that no live payment processing systems or customer financial data were compromised.
The breach came to light when ShinyHunters—responsible for high-profile attacks on Microsoft, AT&T, Ticketmaster, and other major brands—contacted Checkout.com last week demanding ransom in exchange for allegedly stolen data.
A Legacy System Left Behind
According to Checkout.com, the exposure stemmed from a legacy cloud repository used before 2020 for storing:
- Internal operational documents
- Merchant onboarding files
- Non-critical business materials
The platform, managed by a third-party provider, was never fully decommissioned—a mistake the company admits opened the door for unauthorized access.
“This was our mistake, and we take full responsibility,”
said Chief Technology Officer Mariano Albera in an official blog post.
Checkout.com emphasized that critical infrastructure, live transaction systems, and sensitive payment data were completely untouched, and fewer than 25% of current merchants were impacted.
What Data Was Affected?
The compromised system contained archived documents only, including:
- Historic merchant onboarding files
- Internal operational records
- Administrative materials predating 2020
Importantly, the breach did not include:
- Payment processing systems
- Cardholder data
- Merchant funds
- Real-time transaction records
- API keys or live platform credentials
The intrusion was limited solely to the outdated third-party cloud environment.
ShinyHunters Exploits Forgotten Infrastructure
ShinyHunters—active since at least 2020—regularly targets misconfigured cloud environments, weak access controls, and “forgotten” infrastructure that organizations fail to retire properly.
Cybersecurity experts refer to these abandoned systems as “zombie infrastructure”—platforms no longer in active use but still connected to the internet, often overlooked during security audits.
This breach aligns with ShinyHunters’ established tactics: identifying overlooked systems and extracting documents valuable for extortion or resale on dark web markets.
Checkout.com Refuses Ransom, Pledges to Fund Cyber Research
Checkout.com has taken a firm stance against extortion.
“We will not pay this ransom,”
Albera stated.
Instead, the company announced it will donate the equivalent ransom amount to cybersecurity research initiatives at:
- Carnegie Mellon University
- University of Oxford Cyber Security Centre
The goal, Albera noted, is to “invest directly in the fight against criminal actors who threaten our digital economy.”
Merchant Support and Ongoing Response
Checkout.com is now:
- Notifying affected merchants
- Cooperating with law enforcement and regulators
- Reviewing all legacy systems and partners
- Strengthening its cloud security posture
The company also expressed regret for the concern caused:
“We are sorry. We regret that this incident has caused worry for our partners,”
Albera wrote, offering dedicated support via account managers.
A Cautionary Tale About Forgotten Cloud Systems
This incident serves as a powerful reminder that even the most modern fintech companies can face serious risks from unmaintained or overlooked legacy systems. As cybercriminals increasingly exploit old infrastructure, organizations must ensure that every outdated service is securely retired, audited, and removed from public exposure.
Checkout.com’s transparent response—paired with its decision to invest in cybersecurity research—reflects a growing industry trend toward accountability and proactive defense.
