Grubhub Hit by Second Breach, ShinyHunters Demanding Ransom

Grubhub confirmed Wednesday that hackers breached its systems and stole data. Sources familiar with the incident told BleepingComputer that the ShinyHunters cybercrime group is behind the attack and has issued extortion demands. The company isn't saying what was taken or whether customer information is involved.

This is Grubhub's second major security incident in less than a year. The breach appears connected to the August 2025 Salesloft/Drift compromise, where attackers stole OAuth tokens that later enabled follow-on attacks against hundreds of companies.

What We Know

Grubhub acknowledged the breach but kept details vague. "We're aware of unauthorized individuals who recently downloaded data from certain Grubhub systems," the company told reporters. "We quickly investigated, stopped the activity, and are taking steps to further increase our security posture."

When asked about the scope of compromised data, timing, or extortion demands, Grubhub declined to comment. The company confirmed it engaged a third-party cybersecurity firm and notified law enforcement.

The attackers reportedly gained access through credentials stolen during the Salesloft breach last August. Salesloft, a sales engagement platform, suffered a compromise that exposed OAuth tokens for multiple integrated services. Those tokens provided persistent access that attackers exploited months later.

ShinyHunters—the group allegedly behind the extortion—previously claimed responsibility for stealing approximately 1.5 billion Salesforce records from 760 companies during the original Drift attacks. The group has a track record of high-profile breaches and data sales on criminal forums.

Supply Chain Breach Fallout

The attack illustrates how supply chain compromises create long-tail risks. When Salesloft's OAuth tokens leaked in August 2025, the immediate damage was apparent. But those credentials enabled access to connected systems—Zendesk customer support platforms, Salesforce instances, and other integrated services—that attackers could exploit whenever convenient.

Grubhub uses Zendesk for customer support. The breach reportedly compromised that system along with older Salesforce data. Both would have been accessible via the stolen OAuth tokens without requiring Grubhub's own credentials.

Organizations that integrated with Salesloft or Drift should assume their connected accounts were exposed. The window between the August breach and current exploitation gave attackers months to map access, identify valuable targets, and plan their approach.

Previous Grubhub Incidents

This isn't Grubhub's first rodeo with security problems. Earlier in 2025, the company disclosed a separate breach involving a third-party contractor that accessed contact information for campus diners, as well as customers, merchants, and drivers who interacted with customer service.

That breach exposed partial payment card information for some users (card type and last four digits) and hashed passwords for legacy systems. Hackers later claimed to have stolen 70 million lines of Grubhub data including millions of hashed passwords, phone numbers, and email addresses.

Last month, Grubhub's email infrastructure was also abused to send cryptocurrency scam messages from a legitimate subdomain. While not a breach per se, it demonstrated weaknesses in the company's security controls.

What Customers Should Do

Grubhub hasn't specified what data was stolen in the current breach. Given the company's silence and history, customers should take precautions:

1. Change your Grubhub password and any other accounts using the same credentials
2. Enable two-factor authentication if available
3. Monitor for phishing attempts referencing Grubhub orders or account issues
4. Watch financial statements for unauthorized charges
5. Consider credit monitoring if you've been a Grubhub customer

The extortion angle adds uncertainty. If ShinyHunters' demands aren't met, stolen data may appear on criminal forums or leak sites. Customers should prepare for the possibility that their information becomes public regardless of Grubhub's response.

Why This Matters

Food delivery platforms collect extensive personal information: home addresses, payment methods, phone numbers, order histories that reveal dietary preferences and schedules. That data has obvious value for identity theft, targeted phishing, and even physical security threats.

Grubhub's repeat breaches reflect systemic issues. The company's dependence on third-party integrations creates attack surface that internal security can't fully control. When contractors, support platforms, and sales tools all have access to customer data, each integration becomes a potential entry point.

For enterprise customers, the lesson is clear: third-party risk management isn't optional. OAuth tokens, API keys, and service accounts need regular rotation and monitoring. When a vendor suffers a breach, assume your connected data is compromised and act accordingly.