Global payments provider Checkout.com has disclosed a security incident following unauthorized access to a deprecated third‑party cloud file repository. The threat actor, identified as ShinyHunters, demanded a ransom that the company says it has declined to pay. Instead, Checkout.com announced investments of comparable value in cybersecurity research at Carnegie Mellon University and the Oxford Centre for Cyber Security, alongside additional hardening of its defenses.
Incident overview: how attackers reached legacy cloud storage
According to the company, the intrusion targeted an older, third‑party cloud storage system used before 2020 that was not properly decommissioned. Although the platform had been retired operationally, it still contained sensitive materials and remained reachable, creating an unmonitored exposure point frequently seen with “orphaned” or legacy assets.
Scope and data types affected
Checkout.com reports that the stolen data includes information related to merchants (partners), internal operational documents, and customer onboarding materials. The company estimates the incident impacts fewer than 25% of its current customers, with potential exposure for some former clients. At this stage, public statements do not indicate compromise of payment card numbers or bank card data.
Threat actor profile: ShinyHunters and multi‑vector extortion
ShinyHunters—recently referenced as Scattered Lapsus$ Hunters—has been associated in industry reporting with tactics such as phishing, OAuth abuse, and social engineering to gain access to corporate environments, followed by data theft and extortion. Researchers have linked the group’s activity to a purported zero‑day in Oracle E‑Business Suite (CVE‑2025‑61884) and to attacks impacting integrations with platforms like Salesforce and Drift. As with any ongoing investigations, these associations should be treated as subject to confirmation by primary sources and vendors.
Why legacy and “forgotten” clouds create systemic risk
The incident underscores the persistent risk posed by legacy assets and incomplete decommissioning. Aging repositories can retain administrative credentials, archives, or sensitive documentation but fall outside active inventory and monitoring. Industry analyses, including the Verizon 2024 Data Breach Investigations Report (DBIR) and guidance from ENISA, consistently identify misconfigurations, human error, and asset management gaps—especially in cloud environments—as frequent contributors to breaches.
Common pitfalls include public or weakly restricted storage buckets, stale user accounts, unrevoked API keys and OAuth tokens, and monitoring blind spots. These conditions lower the barrier for attackers to discover and exfiltrate data or to craft convincing impersonation campaigns.
Customer and supply chain exposure: phishing and impersonation
Stolen onboarding and operational documents are valuable for social engineering. Adversaries can mimic established processes, spoof verification flows, or send commands that resemble real operational requests. This raises the likelihood of business email compromise (BEC), API token theft, or supply chain abuse targeting Checkout.com’s partners and their downstream ecosystems.
Actionable security measures to reduce similar risks
Organizations can materially reduce exposure by enforcing disciplined lifecycle management and layered controls:
Asset governance: maintain a complete inventory of cloud accounts and third‑party services; conduct periodic discovery to identify “orphaned” repositories and shadow IT; implement formal decommissioning checklists.
Identity and access: enforce least privilege, time‑bound access, and periodic access recertification; rotate API keys and OAuth tokens on schedule; revoke credentials upon system retirement; enable phishing‑resistant MFA.
Configuration and monitoring: use CSPM to detect misconfigurations, SIEM/SOAR for continuous telemetry and automated response, and DLP for data egress controls; validate backup and break‑glass access paths.
Data hygiene: minimize data retention, encrypt at rest and in transit, and segregate archives; log and alert on access to legacy storage.
Supply chain hardening: verify inbound and outbound requests via out‑of‑band channels, refresh integration allowlists, rotate tokens and credentials for third‑party APIs, monitor for API anomalies, and retrain staff to spot BEC and consent‑phishing scenarios.
The Checkout.com case is a reminder that cyber resilience in fintech depends not only on securing “production” systems but also on rigorous data lifecycle controls and vendor oversight. A targeted audit of archival stores, access policies, and OAuth integrations—combined with tested incident response plans—can limit blast radius and speed containment when incidents occur.
