Unity SpeedTree Checkout Skimmer - 428 Customers’ Payment Data Exposed

Unity Technologies disclosed a checkout skimmer on its SpeedTree website that captured customer payment details between 13 March and 26 August 2025. The malicious code—added to the checkout page—could harvest names, addresses, emails, credit card numbers, and access codes during purchases. The compromise was discovered on 26 August 2025; Unity disabled the site and removed the code, launched an investigation, notified affected customers and authorities, and is offering 12 months of credit monitoring via Equifax. The data breach notification letter filed in Maine cites 428 impacted individuals. The incident reflects the continued efficacy of ecommerce skimming against specialized vendor portals that may not have the same security rigor as core corporate sites. Given SpeedTree’s role in the game and simulation content ecosystem, even a few hundred compromised records can create downstream risk if reused credentials or shared corporate cards are in play. This case underscores the need for strict change control on payment flows, script integrity (e.g., SRI and CSP), and continuous monitoring for DOM modifications or unauthorized third-party script loads. Post-incident, enterprises purchasing from niche vendor properties should consider rotating cards and auditing expense portals for anomalous transactions correlated to the exposure window.