- Cyber Syrup
- Posts
- Checkout.com Discloses Data Breach Linked to Extortion Attempt
Checkout.com Discloses Data Breach Linked to Extortion Attempt
Global payments provider Checkout.com has confirmed a data breach following an extortion attempt by a known cybercriminal group
In partnership with
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
Realtime User Onboarding, Zero Engineering
Quarterzip delivers realtime, AI-led onboarding for every user with zero engineering effort.
✨ Dynamic Voice guides users in the moment
✨ Picture-in-Picture stay visible across your site and others
✨ Guardrails keep things accurate with smooth handoffs if needed
No code. No engineering. Just onboarding that adapts as you grow.
Checkout.com Discloses Data Breach Linked to Extortion Attempt
Global payments provider Checkout.com has confirmed a data breach following an extortion attempt by a known cybercriminal group. While the incident has prompted industry-wide attention, the company emphasized that its payment processing systems and merchant funds were not affected.
What Happened
According to Checkout.com, attackers gained unauthorized access to a legacy third-party cloud file storage system that had not been actively used since 2020. The system contained:
Internal operational documentation
Merchant onboarding materials
Other non-payment files from prior years
Checkout acknowledged that the legacy system had not been fully decommissioned, enabling threat actors to exploit it.
“This was our mistake, and we take full responsibility,” the company stated.
The breach did not involve card numbers, transaction data, or payment processing infrastructure.
Who’s Behind the Attack?
The extortion attempt was claimed by the ShinyHunters group — a threat actor active since 2020 and known for large-scale data theft and ransom operations. Their recent history includes:
A collaboration with Scattered Spider, known for high-impact enterprise intrusions
A supposed “retirement” announcement earlier this year
The emergence of a successor-like group: Scattered LAPSUS$ Hunters
That group recently claimed responsibility for a campaign targeting Salesforce tenants, leaking millions of records allegedly stolen from compromised instances.
However, ShinyHunters’ attempt to extort Checkout.com was unsuccessful.
Checkout.com Refuses to Pay
Checkout issued a firm public stance:
“We will not be extorted by criminals. We will not pay this ransom.”
Instead of capitulating, the company announced it will donate the ransom amount to two academic cybersecurity research organizations:
Carnegie Mellon University
University of Oxford Cyber Security Centre
The donation is designed to support research into cybercrime prevention and defensive innovation.
Impact and Response
Checkout.com is undergoing a full investigation to:
Determine which entities or individuals were affected
Assess the scope of data accessed
Audit internal and third-party systems
The firm has reported the incident to law enforcement and all relevant regulatory bodies, with ongoing notifications to impacted organizations.
Key Takeaways
The breach stemmed from improper retirement of a third-party legacy system — a common but overlooked security gap.
No payment data, cardholder information, or merchant funds were compromised.
Checkout’s rare decision to donate the ransom amount signals a strong strategic and ethical stance.
The attack reflects the continuing evolution of extortion groups even amid claims of retirement or rebranding.