Cyber Incident Victim: Shutterfly

Shutterfly, an online retail and photography manufacturing platform, was impacted by a cybersecurity incident in early June 2023. The company was listed as a victim on the Clop ransomware gang's data leak site, identifying it as one of the many organizations targeted through the exploitation of a vulnerability in the MOVEit File Transfer utility. This vulnerability, tracked as CVE-2023-34362, is an SQL injection flaw that the threat actors had been actively exploiting over the preceding months to breach corporate networks. Shutterfly confirmed that its enterprise business unit, Shutterfly Business Solutions (SBS), had utilized the MOVEit platform for some of its operations, making it susceptible to this widespread attack campaign.

Upon learning of the vulnerability in early June, Shutterfly initiated its response protocol. The company promptly took the relevant systems offline to prevent further unauthorized access. It then implemented the security patches provided by Progress Software, the developer of MOVEit, to remediate the known vulnerability. Concurrently, the company commenced a comprehensive forensics review of certain systems to determine the scope and impact of the incident. This investigation was conducted with the assistance of leading third-party forensic firms specializing in cybersecurity incidents.

The forensic investigation concluded that the breach was contained within the Shutterfly Business Solutions unit that operated the MOVEit platform. After a thorough review, the company stated it had no indication that consumer data from its major brands—including Shutterfly.com, Snapfish, Lifetouch, or Spoonflower—was impacted. Furthermore, the investigation found no evidence that any employee information was compromised in the attack. A Shutterfly spokesperson confirmed that customer and employee data remained safe. The company did not publicly disclose the amount of any ransom demand made by the Clop gang.

This incident was part of a much larger hacking spree conducted by the Clop ransomware operation. The group informed BleepingComputer that it had successfully breached servers belonging to "hundreds of companies" by exploiting the MOVEit vulnerability. The attack methodology involved exploiting the SQL injection flaw to gain unauthorized access to corporate networks connected to MOVEit instances. Once inside, threat actors typically exfiltrate data and files before deploying ransomware to encrypt devices. In this case, Clop's public listing of Shutterfly on its leak site indicated a successful breach and data theft, though the specific nature of the data taken from SBS was not detailed by the company.

The broader impact of the MOVEit exploitation was significant, affecting a wide array of organizations globally. Prominent entities that confirmed their involvement included Shell, Deutsche Bank, the University of Georgia, the University System of Georgia, UnitedHealthcare Student Resources, Heidelberger Druck, and Landal Greenparks. Other affected organizations included Zellis and its customers such as the BBC, Boots, and Aer Lingus, as well as Ofcam, the governments of Nova Scotia, Missouri, and Illinois, the University of Rochester, the American Board of Internal Medicine, BORN Ontario, SOVOS, and Extreme Networks. Several U.S. federal agencies were also compromised, including two entities within the Department of Energy.

This was not Shutterfly's first major ransomware incident. In March 2022, the company had disclosed a previous attack by the Conti ransomware gang that occurred in December 2021. During that earlier event, Conti ransomware operators encrypted a substantial portion of Shutterfly's infrastructure, including over 4,000 devices and 120 VMware ESXi servers. The 2023 MOVEit incident, however, was distinct in its cause and scope, stemming from a zero-day vulnerability in a third-party software product rather than a direct network intrusion.

Following the initial disclosure of CVE-2023-34362, MOVEit Transfer customers were later urged to remediate additional, separate SQL injection flaws. One, tracked as CVE-2023-35708, had proof-of-concept exploits surface online in June. Another critical flaw, tracked as CVE-2023-36934, was resolved by Progress Software the following month, with warnings issued for customers to patch their applications immediately. The ongoing discovery of these vulnerabilities highlighted the continued attention threat actors were paying to the file transfer platform and the necessity for vigilant patch management.

Shutterfly's public communications focused on the results of its forensic investigation, which found no impact to its consumer or employee data. The company's response emphasized immediate action upon learning of the vulnerability, including taking systems offline, patching, and engaging expert third-party support. The operational impact was confined to the Shutterfly Business Solutions unit that relied on the MOVEit platform for its file transfer operations. The incident demonstrates the supply chain risks associated with third-party software and the widespread collateral damage that can occur from a single vulnerability in a commonly used enterprise product.