UK financial technology company Checkout announced that the ShinyHunters threat group has breached one of its legacy cloud storage systems and is now extorting the company for a ransom.
The company says that although the stolen data affects a significant portion of its merchant base, it will not pay a ransom and will instead invest in strengthening its security.
Checkout operates checkout.com and is a global payment processing firm that provides a unified payments API, hosted payment portals, mobile SDK, and plugins to use on existing platforms.
It supports a multitude of payment methods and features fraud detection, identity verification (KYC), and provides a dispute system.
Its systems are incorporated into some of the world’s largest businesses, including eBay, Uber Eats, adidas, GE Healthcare, IKEA, Klarna, Pinterest, Alibaba, Shein, Sainsbury’s, Sony, DocuSign, Samsung, and HelloFresh, handling billions in merchandise revenue.
Checkout says ShinyHunters gained access to a third-party legacy system that had not been properly decommissioned, which held merchant data from 2020 and earlier, including internal operational documents and onboarding materials.
“Last week, Checkout.com was contacted by a criminal group known as “ShinyHunters”, who claimed to have obtained data connected to Checkout.com and demanded a ransom,” reads the company’s announcement.
“Upon investigation, we determined that this data was obtained by gaining unauthorized access to a legacy third-party cloud file storage system, used in 2020 and prior years.”
Checkout estimates that this affects less than 25% of its current merchant base, but the exposure extends to past customers too.
ShinyHunters is an international cybercrime group that exfiltrates data from large organizations, usually breaching them via phishing, OAuth attacks, or social engineering, and then demanding large payments not to publish the data.
The threat group has recently been linked to the exploitation of the Oracle E-Business Suite zero-day (CVE-2025-61884), as well as to Salesforce/Drift attacks that impacted a large number of organizations earlier this year.
Checkout.com said it will not pay ShinyHunters a ransom and instead will donate the amount to Carnegie Mellon University and the University of Oxford Cyber Security Center to fund cybercrime-related research projects.
At the same time, the firm committed to strengthening its security measures and better protecting its customers going forward.
Checkout.com has not named the third-party cloud file storage system that was compromised or the breach method.
BleepingComputer has contacted the payments solution provider to find out more, and we will add an update once we hear back.
Whether you’re cleaning up old keys or setting guardrails for AI-generated code, this guide helps your team build securely from the start.
Get the cheat sheet and take the guesswork out of secrets management.