Hackers have published a trove of sensitive data stolen from payment software company AvidXchange after the company fell victim to ransomware for the second time this year.
AvidXchange provides cloud-based software that helps organizations automate invoice processing and payment management processes. The North Carolina-based company says it processed 70 million transactions for 8,000 customers in 2022.
A ransomware group called RansomHouse claimed responsibility for the recent cyberattack on AvidXchange.
“Dear AvidXchange, We strongly recommend you to contact us to prevent your confidential data, documents from being leaked,” a message on RansomHouse’s dark web leak site reads.
A sample of the stolen data, seen by TechCrunch, includes non-disclosure agreements, employee payroll information and corporate bank account numbers.
The leak also includes login details, including usernames, passwords and, in some cases, answers to security questions for a variety of the company’s systems, including cloud accounts and security software, through to smart door locks and surveillance cameras. The leaked login details suggest that AvidXchange uses easily guessable passwords with derivations of the company’s name and the word “password” itself. Notes in the document suggest many of the logins may still be in use.
In a short statement on its website, AvidXchange said the incident “affected some of our systems and data.” The company said its investigation is ongoing, but confirmed that it detected in early April that “some data from these systems was exfiltrated.”
AvidXchange said during the company’s first-quarter earnings call on Monday that it expects to incur costs related to the incident, but spokesperson Olivia Sorrells declined to tell TechCrunch whether the company received or paid a ransom demand from RansomHouse or answer TechCrunch’s questions.
RansomHouse, which has been active since 2021, describes itself as a “professional mediators community” that targets organizations with a “negligent attitude to the privacy and security of their customers’ personal data.” The ransomware gang also recently claimed chipmaker AMD and Africa’s largest retailer Shoprite as victims.
It remains unclear how AvidXchange was compromised, how many customers and employees are affected by the breach and whether AvidXchange has the means to determine what data was exfiltrated from its systems.
This latest breach comes just weeks after AvidXchange confirmed it was one of the 130 victims of the mass-hack targeting Fortra GoAnywhere systems, which was claimed by the Russia-speaking Clop ransomware gang. AvidXchange told TechCrunch at the time that the company used Fortra’s GoAnywhere technology to transfer files to a specific company that prints its checks.
Clop’s dark web leak site currently lists data it allegedly stole from AvidXchange, including the company’s GoAnywhere backups.
Do you have more information about the AvidXchange cyberattack? You can contact Carly Page securely on Signal at +441536 853968, or by email. You can also contact TechCrunch via SecureDrop.