Checkout.com donates ransom to charity after data breach

In a bold response to a significant data security incident, UK-based financial technology leader Checkout.com has confirmed a breach of a legacy cloud storage system by the ShinyHunters cybercrime group. The company has taken a firm stance against paying the demanded ransom, choosing instead to allocate those funds toward cybersecurity research and to reinforce its own protective infrastructure. This incident highlights the persistent risks associated with outdated digital assets and the critical need for robust, modern security protocols.

Checkout.com functions as a comprehensive global payment processor, delivering a unified payments API, hosted payment portals, mobile software development kits, and various plugins for integration into existing e-commerce platforms. Its services encompass a wide array of payment options and incorporate sophisticated fraud detection, identity verification processes, and a system for managing transaction disputes. The platform’s technology is embedded within the operations of numerous major international corporations such as eBay, Uber Eats, adidas, GE Healthcare, IKEA, Klarna, Pinterest, Alibaba, Shein, Sainsbury’s, Sony, DocuSign, Samsung, and HelloFresh, facilitating the movement of billions in commercial revenue annually.

According to the company’s official statement, the breach involved unauthorized access to a third-party legacy cloud file storage system that had not been completely decommissioned. This system contained merchant data from the year 2020 and earlier, which included internal operational documents and various customer onboarding materials. The criminal group ShinyHunters made contact with Checkout.com to claim possession of this data and to issue a ransom demand.

An internal investigation confirmed that the data was indeed exfiltrated from this outdated storage environment. While the company estimates that the breach impacts fewer than a quarter of its current merchant partners, the exposure also extends to a number of past clients. ShinyHunters is recognized as an international cybercrime syndicate known for systematically extracting data from large enterprises. Their typical methods of entry include sophisticated phishing campaigns, OAuth application attacks, and various forms of social engineering, after which they demand substantial payments to prevent the public release of the stolen information.

This group has recently been associated with exploiting a critical vulnerability in the Oracle E-Business Suite, identified as CVE-2025-61884, and was also implicated in a widespread series of attacks targeting Salesforce and Drift platforms earlier this year. In a definitive move, Checkout.com has publicly declared it will not comply with the ransom demand. The funds equivalent to the ransom will be donated to support cybercrime research initiatives at Carnegie Mellon University and the University of Oxford’s Cyber Security Centre.

Concurrently, the company has pledged a significant investment into strengthening its overall security posture to provide enhanced protection for its clientele moving forward. Checkout.com has not disclosed the specific identity of the compromised third-party cloud storage provider or the precise technique used to gain unauthorized access. Inquiries for further details on the incident have been made to the payment provider, and updates will be provided as more information becomes available.

(Source: Bleeping Computer)