HungerRush POS Extortion: Threat Actor Mass-Mails Restaurant Customers

Customers of restaurants using the HungerRush point-of-sale platform received emails from a threat actor on March 4, 2026, warning that restaurant and customer data could be exposed if HungerRush fails to respond to extortion demands. The attacker appears to have legitimate access to the company's email infrastructure.

The emails were delivered using Twilio SendGrid from o10.e.hungerrush.com (159.183.129.119), and email headers confirm that the messages passed SPF, DKIM, and DMARC authentication checks for the hungerrush.com domain. This means the attacker has access to authorized email sending systems.

From Infostealer to Extortion

Threat intelligence data indicates a HungerRush employee's device was infected with an infostealer in October 2025, leading to the compromise of credentials that included corporate accounts for NetSuite, QuickBooks-related services, Stripe dashboards, Bill.com vendor payment systems, Visa Online commercial services, and Salesforce environments.

A second email sent three hours after the initial message, from "[email protected]," escalated the threat. The attacker claims access to data records for millions of customers containing names, emails, passwords, addresses, phone numbers, dates of birth, and credit card information.

This attack pattern—initial compromise via infostealer followed by extortion—has become increasingly common. The Flare Enterprise Credentials research showed how corporate credentials harvested by infostealers frequently appear in underground markets, enabling exactly this type of follow-on attack.

POS Systems as Prime Targets

Point-of-sale systems represent high-value targets for several reasons. They centralize sensitive data—names, addresses, payment information—across thousands of restaurant locations. Common failure points include unpatched APIs, weak access controls, lack of multi-factor authentication, and third-party integrations that expand attack surface without expanding security budgets.

That the attacker could mass-email every customer tells us the breach runs deep. Access to customer-facing communication channels suggests compromise extends beyond a single employee account to core business systems.

HungerRush provides POS and restaurant management software to establishments across the United States. A breach affecting their customer database could impact patrons at potentially thousands of restaurants.

Company Response

As a precautionary measure, HungerRush disabled access to the affected email service to prevent additional unauthorized messages from being sent while the investigation continues. The company has not yet confirmed the scope of the breach or whether customer payment data was actually accessed.

The BridgePay ransomware attack demonstrated how payment processing disruptions cascade through restaurant operations. HungerRush faces a similar situation where the breach affects not just their systems but potentially thousands of downstream businesses and their customers.

What Restaurant Patrons Should Do

If you've received an email from HungerRush with threatening language:

1. Don't panic or engage - The extortion email is designed to create urgency
2. Monitor payment cards - Watch for unauthorized transactions on cards used at restaurants
3. Change passwords - If you created an account through a HungerRush-powered ordering system
4. Enable fraud alerts - Contact your bank to flag any suspicious activity
5. Be wary of follow-ups - Threat actors sometimes send additional phishing attempts after initial contact

For restaurants using HungerRush:

1. Contact HungerRush directly through verified channels for breach details
2. Prepare customer communications - Be ready to address concerned patrons
3. Review access logs - Check for unauthorized access to your HungerRush admin panels
4. Document everything - Preserve evidence for potential regulatory reporting

The investigation is ongoing. Whether this escalates to a full data leak or is resolved through other means remains to be seen.