Tipalti investigates claims of data stolen in ransomware attack

Updated 12/4/23 to include information from Roblox.

Tipalti says they are investigating claims that the ALPHV ransomware gang breached its network and stole 256 GB of data, including data for Roblox and Twitch.

Tipalti offers technology solutions for accounting, payment processing, eCommerce, and affiliate and influencer programs. The company has numerous well-known customers, including Twitch, Roblox, ZipRecruiter, Roku, GoDaddy, Canva, and X.

"Over the past weekend, a ransomware group claimed that they allegedly gained access to confidential information belonging to Tipalti and its customers," Tipalti told BleepingComputer in a statement.

"Tipalti takes the security of our systems and data very seriously and has strong security protocols and tools in place. We are thoroughly investigating this claim."

A Roblox spokesperson told BleepingComputer that they are working with Tipalti to investigate the claims of stolen data and are unaware of any impact on their systems.

Roblox tells BleepingComputer that they have not been contacted by any groups claiming responsibility for the alleged security incident.

If you have any information regarding this incident or any undisclosed attacks, you can contact us confidentially via Signal at 646-961-3731 or at tips@bleepingcomputer.com.

These statements come after the ALPHV ransomware gang (aka BlackCat) published a lengthy post on their data leak site Saturday night, claiming they have had access to Tipalti's network since September 8th.

During this time, the threat actors claim to have stolen 265 GB of data, including data for Twitch and Roblox, which they say they will extort separately.

"We have remained present, undetected, in multiple Tipali systems since September 8th 2023," read a now-deleted post on the ALPHV data leak site.

"Over 265GB+ of confidential business data belonging to the company, as well as its employees and clients has been exfiltrated."

"We remain committed to this exfiltration operation, so we plan to reach out to both these companies once the market opens on Monday as we believe we will have an even greater amount of data by then".

It is unusual for ransomware gangs to name victims before extorting them. However, they say they are doing this as Tipalti's cyber insurance does not cover extortion and is not believed that the company will pay a ransom demand.

Today, the threat actors published another post stating that they are now contacting Tipalti customers, whom they plan on extorting individually.

While it is unclear what customers had their data stolen, the threat actors have only stated that they gained access to the data for Twitch and Roblox.

BleepingComputer also contacted Twitch, who has not responded to our email.