Home > Security > Security News

Grubhub Breach: Data Theft Confirmed, Extortion Suspected

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
Grubhub
Summarize with:
ChatGPT logo ChatGPT Claude.ai logo Claude.ai Google AI logo Google AI Grok logo Grok Perplexity logo Perplexity
Google logo Add as preferred source on Google
Key Takeaways
  • Unauthorized Access: Grubhub has officially acknowledged that unauthorized individuals accessed and downloaded data from its systems.
  • Extortion Attempts Reported: ShinyHunters may be extorting Grubhub, threatening to release data allegedly stolen from Zendesk and Salesforce instances.
  • Third-Party Involvement: The breach is reportedly linked to compromised credentials from a third-party vendor, possibly stemming from recent Salesloft Drift data theft.

The food delivery giant has confirmed a significant Grubhub data breach, stating that unauthorized actors accessed its systems and downloaded internal data. While the company has not publicly disclosed the exact scope or timeline of the incident, it has engaged a third-party cybersecurity firm and notified law enforcement. 

Grubhub Acknowledges Cybersecurity Incident

In a statement, Grubhub emphasized that sensitive customer financial information and order histories were not affected by the intrusion. "We're aware of unauthorized individuals who recently downloaded data from certain Grubhub systems," the company told BleepingComputer.

However, the lack of transparency regarding the specific data types compromised raises concerns about potential downstream attacks. 

ShinyHunters Extortion and Third-Party Risks

Intelligence from sources indicates that the threat actor group ShinyHunters may be behind the attack and is actively extorting the company. The group is reportedly demanding a Bitcoin payment to prevent the leak of data allegedly stolen from Grubhub's Zendesk support system and older Salesforce records. 

Reports suggest the data breach may have originated from stolen credentials linked to the Salesloft Drift attacks in August 2025, where threat actors harvested OAuth tokens to infiltrate Salesforce instances across multiple organizations, with ShinyHunters claiming almost 1,000 victims.

In October, Google’s Mandiant said the UNC6395 threat actor specifically targeted Amazon Web Services (AWS) access keys (AKIA identifiers), Snowflake-related access tokens, and login URL strings. 

Implications for Enterprise Security

Organizations must rigorously audit third-party access privileges and rotate secrets immediately upon suspicion of compromise. 

For Grubhub, the breach follows a recent wave of scam emails originating from its own subdomains, further complicating the platform's and its users' security landscape, and it suffered a data breach in February 2025.

The exploitation of third-party integrations, such as customer support platforms and CRM systems, remains a favored vector for sophisticated threat actors. 

This week, JPMorgan disclosed a supply chain breach at a law firm that impacts over 650 investors. Last month, ShinyHunters extorted Pornhub after premium users’ data was exposed due to an alleged third-party breach at Mixpanel.

Add a Comment
Related
Man holding an envelope targeted by a fishing hook, depicting phishing attack
Chinese Spies Exploit Venezuela Crisis to Target US Officials in Phishing Campaign Deploying Backdoor
Claude
Anthropic Claude Vulnerability Exposes Cowork AI to Data Exfiltration via Prompt Injection
Office - US Flag - Hacker - Email
Russell Township Police Email Disruption Halted Communications for Nearly Two Months
Ransomware Actor
Ransomware Attacks Surged 58% in 2025, New Report Finds
Confused Hackers - Reading - Dictionary
Sicarii Ransomware: A Deceptive New Ransomware-as-a-Service Threat Using Hebrew Iconography
Access Controls - Text Boxes - Check Boxes - Credentials - Questions Mark
Bluspark Unauthenticated API Vulnerability Exposed Sensitive Data, Including Plaintext Passwords
Most Popular
Man holding an envelope targeted by a fishing hook, depicting phishing attack
Chinese Spies Exploit Venezuela Crisis to Target US Officials in Phishing Campaign Deploying Backdoor
Claude
Anthropic Claude Vulnerability Exposes Cowork AI to Data Exfiltration via Prompt Injection
Office - US Flag - Hacker - Email
Russell Township Police Email Disruption Halted Communications for Nearly Two Months
ExpressVPN launches ExpressVPN for Teams to Simplify VPN Access for Organizations
ExpressVPN launches ExpressVPN for Teams to Simplify VPN Access for Organizations
Ransomware Actor
Ransomware Attacks Surged 58% in 2025, New Report Finds
Confused Hackers - Reading - Dictionary
Sicarii Ransomware: A Deceptive New Ransomware-as-a-Service Threat Using Hebrew Iconography
Chinese Spies Exploit Venezuela Crisis to Target US Officials in Phishing Campaign Deploying Backdoor
Anthropic Claude Vulnerability Exposes Cowork AI to Data Exfiltration via Prompt Injection
Russell Township Police Email Disruption Halted Communications for Nearly Two Months
ExpressVPN launches ExpressVPN for Teams to Simplify VPN Access for Organizations
Ransomware Attacks Surged 58% in 2025, New Report Finds
Sicarii Ransomware: A Deceptive New Ransomware-as-a-Service Threat Using Hebrew Iconography

Most Popular
Man holding an envelope targeted by a fishing hook, depicting phishing attack
Chinese Spies Exploit Venezuela Crisis to Target US Officials in Phishing Campaign Deploying Backdoor
Claude
Anthropic Claude Vulnerability Exposes Cowork AI to Data Exfiltration via Prompt Injection
Office - US Flag - Hacker - Email
Russell Township Police Email Disruption Halted Communications for Nearly Two Months
ExpressVPN launches ExpressVPN for Teams to Simplify VPN Access for Organizations
ExpressVPN launches ExpressVPN for Teams to Simplify VPN Access for Organizations
Ransomware Actor
Ransomware Attacks Surged 58% in 2025, New Report Finds
Confused Hackers - Reading - Dictionary
Sicarii Ransomware: A Deceptive New Ransomware-as-a-Service Threat Using Hebrew Iconography
Chinese Spies Exploit Venezuela Crisis to Target US Officials in Phishing Campaign Deploying Backdoor
Anthropic Claude Vulnerability Exposes Cowork AI to Data Exfiltration via Prompt Injection
Russell Township Police Email Disruption Halted Communications for Nearly Two Months
ExpressVPN launches ExpressVPN for Teams to Simplify VPN Access for Organizations
Ransomware Attacks Surged 58% in 2025, New Report Finds
Sicarii Ransomware: A Deceptive New Ransomware-as-a-Service Threat Using Hebrew Iconography

TechNadu keeps you informed with the latest in cybersecurity, VPNs, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2026 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: