UK-based payment services provider Checkout.com experienced a security breach involving its legacy third-party cloud file storage system, compromised by the ShinyHunters extortion group. The attackers demanded a ransom, which the company refused to pay directly. Instead, Checkout.com redirected the demanded amount to Carnegie Mellon University and the University of Oxford Cyber Security Center to fund cybercrime research. The incident highlights risks associated with third-party cloud vulnerabilities, exposing potential data leaks or operational disruptions. While the company avoided direct ransom payment, the attack underscores the persistent threat of ransomware-driven extortion targeting financial service providers. The breach’s scope—whether customer or internal data was accessed—remains undisclosed, but the involvement of a high-profile threat actor suggests significant exposure risks. The decision to fund research rather than pay ransom aligns with ethical cybersecurity practices but does not eliminate the initial compromise’s impact on trust and system integrity.

Checkout.com was targeted by the cybercriminal group ShinyHunters in early November 2025 via a ransomware attack exploiting a decommissioned third-party cloud storage system. The breach exposed internal operational documents and merchant onboarding materials from 2020 and earlier, affecting less than 25% of its current merchant base. While no live payment systems, merchant funds, or card numbers were compromised, the incident involved unauthorized access to legacy data. The company refused to pay the ransom, instead donating the demanded amount to Carnegie Mellon University and the University of Oxford Cyber Security Center to combat cybercrime. Checkout.com emphasized transparency, accountability, and collaboration with law enforcement, while contacting impacted customers and regulators. The breach highlighted vulnerabilities in legacy system decommissioning but did not disrupt core financial operations or expose sensitive financial data.