Updated 11:21 ET to clarify no ransomware was deployed. i.e. A ransom was demanded in the wake of the data breach but no malware was used in the attack.
Merchant heavyweight Checkout.com – a Stripe rival that serves the likes of eBay, Netflix, and Uber – says customer data was exposed after a threat group accessed a legacy cloud storage environment it had failed to decommission.
Its payment processing environment was not affected and no card details stolen, it said on November 12, adding that “the system was used for internal operational documents and merchant onboarding materials at that time.”
The storage bucket was used until 2020, Checkout.com said. Nearly a quarter of existing merchants may have had some data accessed however, it admitted.
CTO Mariano Albera added in a short blog that “We will not be extorted by criminals. We will not pay this ransom…” (Checkout.com confimed to The Stack that no malware/ransomware was deployed during the incident.)
He wrote today: “Instead, we are turning this attack into an investment in security for our entire industry. We will be donating the ransom amount to Carnegie Mellon University and the University of Oxford Cyber Security Center to support their research in the fight against cybercrime.”
“The episode occurred when threat actors gained access to this third party legacy system which was not decommissioned properly,” he added.
“This was our mistake, and we take full responsibility.”
He named the group in question as “ShinyHunters.”
Checkout.com declined to name the ransom amount/donation that it would be making, when approached for further details by The Stack.
It was not immediately clear if the “legacy, third-party cloud file storage system” was misconfigured/publically exposed without authentication being required, or just poorly secured, with (widely available) stolen credentials used to access it.
If the former, a wealth of attack surface management tools or simply free tools like “public buckets” should have been able to spot it for the firm.
UPDATED: The Stack understands that this was not an S3 bucket or equivalent "storage" environment (Checkout's CTO named it as a "a legacy, third-party cloud file storage system") but a file-sharing system of the kind that has been widely abused by ransomware and other cybercrime groups in extortion campaigns. We could not confirm the software in question.
The link has been copied!
