Their statement reads in part as follows:
"The attacker both locked up some of our systems and accessed some of the data on those systems. This included access to personal information of certain people, including you.
We believe the access occurred on or about December 3, 2021. We discovered the incident on December 13, 2021."
Their statement goes on to say that a large amount of data was stolen, and that it included employee personal information. Some of the information taken were names, addresses, salaries, login credentials for an unspecified number of Corporate Services users, and a wide range of customer information including at least the last four digits of credit card numbers kept on file.
Unfortunately, we don't yet have a good accounting of exactly how many users, employees, or customers may have been impacted by the breach. What is known is that so far, the company has decrypted more than 4,000 devices and more than 120VMware ESXi servers belonging to Shutterfly. Also, the investigation into the matter is ongoing at this time.
If you are a Shutterfly customer who was impacted by the attack, you've almost certainly received a copy of the official breach notification at this point. If you're a customer and you haven't received one, you may want to reach out to the corporate office to check the status of your account.
Finally, out of an abundance of caution, if you have an account with Shutterfly you should probably change your password right away. If you're using that same password on other web properties, change those too.
This will certainly not be the last such incident we hear about in 2022, so stay vigilant out there.