Grubhub Data Breach: Hackers Stole Customer Information
▼ Summary
– Grubhub confirmed a data breach where hackers accessed its systems and is reportedly facing extortion demands from the cybercrime group ShinyHunters.
– The company stated that sensitive financial information and order history were not affected, and it has taken steps to improve security and notified law enforcement.
– The breach is linked to stolen credentials from the recent Salesloft Drift attacks, which were used to access Grubhub’s Zendesk support system data.
– This incident follows a separate recent event where Grubhub’s subdomain was used to send cryptocurrency scam emails, though a connection is unclear.
– Organizations impacted by the Salesloft Drift breaches are urged to rotate all compromised access tokens and secrets to prevent further attacks.
The popular food delivery service Grubhub has confirmed a security incident involving unauthorized access to its systems, leading to a data breach. The company states it has contained the activity and is working with cybersecurity experts and law enforcement. While Grubhub maintains that sensitive financial data and order history were not compromised, the company has declined to comment on specifics, including whether customer information was taken or if extortion demands are involved.
Multiple sources indicate that the notorious ShinyHunters cybercrime group is behind the attack and is now extorting the company. The hackers are reportedly demanding a Bitcoin ransom. The threat is to prevent the release of two distinct datasets: older information from a Salesforce platform breach dating back to February 2025, and newer data stolen from Grubhub’s Zendesk support system in this latest incident. Grubhub utilizes Zendesk to manage its online customer support for orders, accounts, and billing inquiries.
The exact timeline of the breach remains unclear, but evidence suggests it may be connected to a wider campaign. Information points to the attackers using credentials stolen during the recent Salesloft Drift data theft attacks. In August 2025, threat actors exploited stolen OAuth tokens related to Salesloft’s Salesforce integration, conducting a data harvesting operation over a ten-day period. According to analysis from Google’s Threat Intelligence team, the stolen data from that event was then used to gather further credentials and secrets, enabling subsequent attacks on other platforms.
This incident follows another security problem for Grubhub last month, when its systems were linked to a wave of scam emails. Messages sent from a Grubhub subdomain promoted a fraudulent cryptocurrency scheme. The company stated it had addressed that issue at the time but provided no further details. It is currently unknown if the two security events are related.
The ShinyHunters group previously claimed responsibility for the extensive Salesloft breach, alleging the theft of roughly 1.5 billion records from Salesforce tables belonging to hundreds of companies. This pattern highlights a critical security vulnerability: threat actors are persistently using previously stolen data to launch new attacks. Organizations affected by the Salesloft Drift compromises are urged to immediately rotate all potentially compromised access tokens and secrets if they have not already done so to prevent further infiltration.
(Source: Bleeping Computer)
