What Happened
In April 2025, Adyen experienced a distributed denial-of-service (DDoS) attack, not a data breach. The attack occurred on April 21, 2025, beginning at 18:51 CEST and targeting Adyen’s European data centers with three distinct waves of malicious traffic that generated millions of requests per minute. The attack disrupted payment services across Europe, causing failed or delayed transactions for customers of major merchants including Uber, eBay, Meta, and Spotify, with services including E-commerce payments, In-Person Payment processing, Hosted Onboarding, and the Transfer API experiencing intermittent outages. The incident was resolved by 03:20 CEST on April 22, 2025, after approximately nine hours. Importantly, no data was stolen or exposed in this incident—the attack was purely a service disruption caused by traffic flooding rather than a data breach. However, a separate incident involved approximately 102,000 records allegedly leaked from a third-party service integrated with Adyen’s payment processing environment, which was published on dark web forums and attributed to unauthorized third-party access rather than a direct compromise of Adyen’s systems.
