Shadow, which offers services that let you stream a Windows PC, has disclosed a security breach that led an attacker taking some private customer data. The company is sending emails to customers notifying them that a bad actor was able to extract their first and last name, email address, date of birth, billing address, and credit card expiration date.

Shadow’s CEO confirmed the breach in a statement to The Verge. “We were recently the victim of a highly sophisticated social engineering attack which led to the exfiltration of the database of one of our service providers, resulting in the unauthorized exposure of certain customer data,” Eric Sele says. “We have since then taken immediate steps to secure our systems, including reinforcing the security protocols we apply with all our service providers. Most importantly, no passwords or financial data have been compromised.”

Here’s what happened, according to the email sent to customers (which you can see on Reddit):

At the end of September, we were the victim of a social engineering attack targeting one of our employees. This highly sophisticated attack began on the Discord platform with the downloading of malware under cover of a game on the Steam platform, proposed by an acquaintance of our employee, himself a victim of the same attack.

Our security team took immediate action. Despite our actions, the attacker was able to exploit one of the stolen cookies to connect to the management interface of one of our SaaS providers. Thanks to this cookie, now deactivated, the attacker was able to extract, via our SaaS provider’s API, certain private information about you.

The company says it has “reinforced the security protocols we apply with all our SaaS providers” and that it will be “upgrading our internal systems to render compromised workstations harmless.”

A since-removed Reddit post from a user that identifies as a community manager also included instructions to delete your Shadow account and advises users to “take proactive steps to enhance your online privacy and identity protection.” You can see that post on the Wayback Machine.

Shadow, which offers services that let you stream a Windows PC, has disclosed a security breach that led an attacker taking some private customer data. The company is sending emails to customers notifying them that a bad actor was able to extract their first and last name, email address, date of birth, billing address, and credit card expiration date.

Shadow’s CEO confirmed the breach in a statement to The Verge. “We were recently the victim of a highly sophisticated social engineering attack which led to the exfiltration of the database of one of our service providers, resulting in the unauthorized exposure of certain customer data,” Eric Sele says. “We have since then taken immediate steps to secure our systems, including reinforcing the security protocols we apply with all our service providers. Most importantly, no passwords or financial data have been compromised.”

Here’s what happened, according to the email sent to customers (which you can see on Reddit):

At the end of September, we were the victim of a social engineering attack targeting one of our employees. This highly sophisticated attack began on the Discord platform with the downloading of malware under cover of a game on the Steam platform, proposed by an acquaintance of our employee, himself a victim of the same attack.

Our security team took immediate action. Despite our actions, the attacker was able to exploit one of the stolen cookies to connect to the management interface of one of our SaaS providers. Thanks to this cookie, now deactivated, the attacker was able to extract, via our SaaS provider’s API, certain private information about you.

The company says it has “reinforced the security protocols we apply with all our SaaS providers” and that it will be “upgrading our internal systems to render compromised workstations harmless.”

A since-removed Reddit post from a user that identifies as a community manager also included instructions to delete your Shadow account and advises users to “take proactive steps to enhance your online privacy and identity protection.” You can see that post on the Wayback Machine.