Grubhub confirms data breach amid extortion claims

NEWYou can now listen to Fox News articles!

Food delivery platform Grubhub has confirmed a recent data breach after unauthorized actors accessed parts of its internal systems.

The disclosure comes as sources tell BleepingComputer the company is now facing extortion demands linked to stolen data.

In a statement to BleepingComputer, Grubhub said it detected and stopped the activity quickly.

“We’re aware of unauthorized individuals who recently downloaded data from certain Grubhub systems,” the company said. “We quickly investigated, stopped the activity, and are taking steps to further increase our security posture.”

Grubhub added that sensitive information, such as financial details or order history, was not affected. However, the company declined to answer follow-up questions about when the breach occurred, whether customer data was involved, or if it is actively being extorted.

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter.

RANSOMWARE ATTACK EXPOSES SOCIAL SECURITY NUMBERS AT MAJOR GAS STATION CHAIN

What Grubhub has confirmed so far

While details remain limited, Grubhub confirmed several key points. It has brought in a third-party cybersecurity firm and notified law enforcement. Beyond that, the company has stayed largely silent. That lack of detail has raised concern, especially given Grubhub’s recent security history. Just last month, the company was linked to scam emails sent from its own b.grubhub.com subdomain. Those messages promoted a cryptocurrency scam promising large returns on Bitcoin payments. Grubhub said it contained the incident and blocked further unauthorized emails. It did not clarify whether the two events are related.

Sources link the breach to ShinyHunters extortion

According to multiple sources cited by BleepingComputer, the ShinyHunters hacking group is behind the extortion attempt. The group has not publicly commented on the claims and declined to respond when contacted. Sources say the attackers are demanding a Bitcoin payment to prevent the release of stolen data. That data reportedly includes older Salesforce records from a February 2025 breach and newer Zendesk data taken during the most recent intrusion. Grubhub uses Zendesk to run its online customer support system. That platform handles order issues, account access and billing questions, making it a valuable target for attackers.

How stolen credentials may have enabled the attack

Investigators believe the breach may be tied to credentials stolen during earlier Salesloft Drift attacks. In August 2025, threat actors used stolen OAuth tokens from Salesloft’s Salesforce integration to access sensitive systems over a ten-day period. According to a report from Google Threat Intelligence Group, also known as Mandiant, attackers used that stolen data to launch follow-up attacks across multiple platforms. “GTIG observed UNC6395 targeting sensitive credentials such as AWS access keys, passwords and Snowflake-related access tokens,” Google reported. ShinyHunters previously claimed responsibility for that campaign, stating it stole roughly 1.5 billion records from Salesforce environments tied to hundreds of companies.

Why this breach still matters

Even if payment data and order history were not affected, support systems often contain personal details. Names, email addresses and account notes can be enough to fuel phishing attacks or identity scams. More importantly, this incident highlights how older breaches can continue to cause damage long after the initial attack. Stolen credentials that are never rotated remain a powerful entry point for threat actors.

Ways to stay safe after the Grubhub data breach

If you use Grubhub or any online delivery service, a few smart steps can reduce your risk after a breach.

1) Update your password and stop re-use

Start by changing your Grubhub password right away. Make sure you do not reuse that password anywhere else. Reused passwords give attackers an easy path into other accounts. A password manager can help here. It creates strong, unique logins and stores them securely so you do not have to remember them all.

Next, see if your email has been exposed in past breaches. Our No. 1 password manager pick includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2026 at Cyberguy.com.

ILLINOIS DHS DATA BREACH EXPOSES 700K RESIDENTS’ RECORDS

2) Turn on two-factor authentication

If two-factor authentication (2FA) is available, enable it. This adds a second step when you sign in, such as a code sent to your phone or app. Even if a hacker steals your password, two-factor authentication can stop them from getting in.

3) Watch closely for phishing attempts and use strong antivirus software

Be alert for emails or texts that mention orders, refunds or support issues. Attackers often use stolen support data to make messages feel urgent and real. Do not click links or open attachments unless you are certain they are legitimate. Strong antivirus software can also help block malicious links and downloads before they cause harm.

The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

Get my picks for the best 2026 antivirus protection winners for your Windows, Mac, Android and iOS devices at Cyberguy.com.

4) Remove your data from people-search sites

Consider using a data removal service to reduce your online footprint. These services help remove your personal details from data broker sites that attackers often use to build profiles. Less exposed data means fewer tools for scammers to exploit.

While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com.

Get a free scan to find out if your personal information is already out on the web: Cyberguy.com.

5) Ignore crypto messages using trusted brands

Be skeptical of any cryptocurrency offers tied to familiar companies. Grubhub was previously linked to scam emails promoting crypto schemes, which shows how often attackers abuse trusted names. Legitimate companies do not promise fast returns or pressure you to act immediately.

6) Monitor your Grubhub account and email activity

Check your Grubhub account for anything that looks unfamiliar. Watch for unexpected password reset emails, order confirmations or support messages you did not request. Attackers often test stolen data quietly before making bigger moves.

7) Secure the email linked to your Grubhub account

Your email account is the key to password resets. Change that password and enable two-factor authentication if it is not already on. If attackers control your email, they can regain access even after you change other passwords.

8) Stay alert for delayed scams tied to the breach

Breach data is often reused weeks or months later. Phishing attempts may appear long after headlines fade. Treat any future messages claiming to reference Grubhub support, refunds or account issues with extra caution.

These steps will not undo a breach, but they can limit how attackers exploit stolen information and reduce your risk going forward.

FIBER BROADBAND GIANT INVESTIGATES BREACH AFFECTING 1M USERS

Kurt’s key takeaways

Grubhub’s confirmation puts an official stamp on what sources have warned about for weeks. While the company says sensitive data was not affected, unanswered questions remain. As extortion-driven breaches rise, transparency and rapid credential rotation matter more than ever. What stands out most is how past compromises continue to create new risks. When access tokens live too long, attackers do not need to break in again. They simply walk back through an open door.

If companies stay quiet after breaches, how can customers know when it is time to protect themselves? Let us know by writing to us at Cyberguy.com.

Read the full article here