Cyber Incident Victim: Shutterfly
Date:
Dec 2021
Location:
United States of America
Summary
Shutterfly experienced a ransomware attack by the Conti gang, which encrypted thousands of devices and servers while exfiltrating corporate data. The attackers employed double extortion tactics, threatening to leak stolen information—including legal agreements, bank account details, corporate credentials, spreadsheets, and customer data with partial credit card digits—unless a ransom was paid. Services for Lifetouch, BorrowLenses, and Groovebook were disrupted, though consumer-facing platforms like Shutterfly.com remained operational. While the company asserted no financial data was compromised, evidence suggested otherwise with screenshots of credit card fragments in the stolen cache. Conti, a Russia-linked group operating ransomware-as-a-service, conducted the breach after infiltrating the network.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around December 10, 2021, the Conti ransomware group attacked Shutterfly, encrypting thousands of devices across the company's corporate infrastructure. The attackers claimed to have compromised over 4,000 devices and 120 VMware ESXi servers during the intrusion. Conti employed a double-extortion strategy, first exfiltrating sensitive corporate data before deploying ransomware. Stolen information included legal agreements, bank and merchant account details, corporate service login credentials, spreadsheets, and customer data containing the last four digits of credit cards. The gang created a private leak page with screenshots of this data, threatening public release unless Shutterfly paid a multimillion-dollar ransom. While negotiations were reportedly ongoing at the time of reporting, the attack caused significant service disruptions to Shutterfly's Lifetouch, BorrowLenses, and Groovebook divisions. The company's primary consumer-facing platforms—Shutterfly.com, Snapfish, TinyPrints, and Spoonflower—remained operational and unaffected according to corporate statements.

Shutterfly confirmed the ransomware incident in a December 26 statement to BleepingComputer, nearly two weeks after the initial breach. The company maintained that no financial information was compromised, despite evidence in Conti's screenshots showing partial credit card data. Conti, a Russian-linked ransomware-as-a-service operation historically associated with Ryuk, TrickBot, and BazarLoader malware campaigns, executed the attack through affiliate hackers who breached networks before deploying encryption. The incident prompted U.S. government agencies to reference Conti's increased activity in security advisories during this period. Forensic evidence suggested the attackers operated within Shutterfly's systems for an unspecified duration prior to encryption, consistent with Conti's standard tactics of prolonged network reconnaissance prior to ransomware deployment. Service disruptions persisted across affected business units as recovery efforts continued following the encryption event.
