Grubhub confirms data breach amid extortion accusations

Food delivery platform Grubhub has confirmed a recent data breach after unauthorized actors accessed parts of its internal systems.

The disclosure comes as sources tell BleepingComputer that the company is now facing extortion claims related to stolen data.

In a statement to BleepingComputer, Grubhub said it detected and stopped the activity quickly.

“We are aware of unauthorized persons who have recently downloaded data from certain Grubhub systems,” the company said. “We quickly investigated, stopped the activity and are taking steps to further increase our security posture.”

Grubhub added that sensitive information, such as financial details or order history, was not affected. However, the company declined to answer follow-up questions about when the breach occurred, whether customer data was involved, or whether it is being actively extorted.

Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.

RANSOMWARE ATTACK EXPOSES SOCIAL SECURITY NUMBERS AT CHAIN ​​OF IMPORTANT GASOLINE STATIONS

What Grubhub has confirmed so far

While details remain limited, Grubhub confirmed several key points. He hired an outside cybersecurity company and notified authorities. Beyond that, the company has largely remained silent. That lack of details has raised concerns, especially given Grubhub’s recent security record. Last month, the company was linked to fraudulent emails sent from its own b.grubhub.com subdomain. Those messages promoted a cryptocurrency scam that promised huge returns on Bitcoin payments. Grubhub said it contained the incident and blocked further unauthorized emails. He did not clarify whether the two events are related.

Sources link breach to ShinyHunters extortion

According to multiple sources cited by BleepingComputer, the hacking group ShinyHunters is behind the extortion attempt. The group has not commented publicly on the claims and declined to respond when contacted. Sources say the attackers demand payment in Bitcoin to prevent the disclosure of stolen data. That data reportedly includes older Salesforce records from a February 2025 breach and newer Zendesk data taken during the most recent intrusion. Grubhub uses Zendesk to run its online customer service system. That platform handles ordering issues, account access, and billing questions, making it a valuable target for attackers.

How stolen credentials may have enabled the attack

Researchers believe the breach may be related to credentials stolen during previous Salesloft Drift attacks. In August 2025, threat actors used OAuth tokens stolen from Salesloft’s Salesforce integration to access sensitive systems over a 10-day period. According to a report from Google Threat Intelligence Group, also known as Mandiant, the attackers used the stolen data to launch follow-on attacks on multiple platforms. “GTIG observed that UNC6395 targeted sensitive credentials such as AWS access keys, passwords, and Snowflake-related access tokens,” Google reported. ShinyHunters previously claimed responsibility for that campaign, claiming it stole approximately 1.5 billion records from Salesforce environments linked to hundreds of companies.

Why this violation is still important

Even if payment data and order history were not affected, the supporting systems often contain personal data. Names, email addresses, and account notes can be enough to fuel phishing attacks or identity scams. More importantly, this incident highlights how older breaches can continue to cause damage long after the initial attack. Stolen credentials that are never rotated remain a powerful entry point for threat actors.

Ways to stay safe after the Grubhub data breach

If you use Grubhub or any online delivery service, a few smart steps can reduce your risk after a breach.

1) Update your password and stop reusing it

Get started by changing your Grubhub password right away. Make sure you don’t reuse that password anywhere else. Reused passwords give attackers an easy path to other accounts. A password manager can help here. Create strong, unique logins and store them securely so you don’t have to remember them all.

Next, check to see if your email has been exposed in previous breaches. Our #1 pick for password manager includes a built-in breach scanner that checks to see if your email address or passwords have appeared in known breaches. If you discover a match, immediately change any reused passwords and protect those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2026 at Cyberguy.com.

ILLINOIS DHS DATA BREACH EXPOSES RECORDS OF 700,000 RESIDENTS

2) Activate two-factor authentication

If two-factor authentication (2FA) is available, enable it. This adds a second step to signing in, like a code sent to your phone or app. Even if a hacker steals your password, two-factor authentication can prevent them from logging in.

3) Be alert for phishing attempts and use strong antivirus software

Be on the lookout for emails or text messages that mention orders, refunds, or support issues. Attackers often use stolen supporting data to make messages appear urgent and real. Don’t click on links or open attachments unless you are sure they are legitimate. Strong antivirus software can also help block malicious downloads and links before they cause harm.

The best way to protect yourself from malicious links that install malware and potentially access your private information is to have powerful antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

Get my picks for the best antivirus protection winners of 2026 for your Windows, Mac, Android, and iOS devices at Cyberguy.com.

4) Delete your data from people search sites.

Consider using a data removal service to reduce your online footprint. These services help remove your personal data from data broker sites that attackers often use to create profiles. Less exposed data means fewer tools for fraudsters to exploit.

While no service can guarantee complete removal of your data from the Internet, a data deletion service is truly a smart choice. They are not cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically deleting your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to delete your personal data from the Internet. By limiting the information available, you reduce the risk of scammers cross-referencing leak data with information they can find on the dark web, making it harder for them to target you.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already available on the web by visiting Cyberguy.com.

Get a free scan to find out if your personal information is already available on the web: Cyberguy.com.

5) Ignore cryptographic messages that use trusted brands

Be skeptical of any cryptocurrency offerings linked to well-known companies. Grubhub was previously linked to fraudulent emails promoting crypto schemes, showing how often trusted names are abused by attackers. Legitimate companies do not promise quick returns or pressure you to act immediately.

6) Monitor your Grubhub account and email activity

Review your Grubhub account for anything that seems unfamiliar. Be on the lookout for unexpected password reset emails, order confirmations, or support messages you didn’t request. Attackers often test stolen data quietly before making bigger moves.

7) Secure the email linked to your Grubhub account

Your email account is the key to resetting your password. Change that password and enable two-factor authentication if it is not already enabled. If attackers control your email, they can regain access even after you change other passwords.

8) Be alert for delayed breach-related scams

Breach data is often reused weeks or months later. Phishing attempts can appear long after the headlines disappear. Treat any future messages that claim to reference Grubhub support, refunds, or account issues with particular caution.

These steps will not undo a breach, but they can limit how attackers exploit stolen information and reduce risk in the future.

FIBER BROADBAND GIANT INVESTIGATES BREACH AFFECTING 1M USERS

Kurt’s Key Takeaways

Grubhub’s confirmation puts an official seal on what sources have been warning about for weeks. While the company says sensitive data was not affected, questions remain unanswered. As breaches caused by extortion increase, transparency and rapid credential turnover are more important than ever. What stands out most is how past commitments continue to create new risks. When access tokens last too long, attackers do not need to log in again. They simply return through an open door.

If companies remain silent after breaches, how can customers know when it’s time to protect themselves? Let us know by writing to us at Cyberguy.com.

CLICK HERE TO DOWNLOAD THE News APP

Sign up to receive my FREE CyberGuy report
Receive m It’s top tech tips, urgent security alerts, and exclusive offers delivered right to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.

Copyright 2026 CyberGuy.com. All rights reserved.