Blog Details

Real: Meals supply platform Grubhub has confirmed a recent files breach after hackers accessed its systems, with sources telling BleepingComputer the corporate is now going by extortion demands.

“We’re aware of unauthorized individuals who recently downloaded data from certain Grubhub systems,” Grubhub told BleepingComputer.

“We quickly investigated, stopped the activity, and are taking steps to further increase our security posture. Sensitive information, such as financial information or order history, was not affected.”

Grubhub would now not acknowledge to any additional questions relating to the breach, in conjunction with when it came about, whether buyer files became once involved, or if they were being extorted.

Alternatively, the corporate confirmed that it’s working with a third-occasion cybersecurity firm and has notified legislation enforcement.

Final month, Grubhub became once also linked to a wave of scam emails sent from its b.grubhub.com subdomain that promoted a cryptocurrency scam promising a tenfold return on Bitcoin funds.

Grubhub stated on the time that it contained the shriek and took steps to discontinue additional unauthorized messages, however would now not acknowledge additional questions connected to the incident.

It’s unclear if the two incidents are connected.

Cybersecurity expert Extorted by hackers

Whereas Grubhub would now not allotment additional exiguous print, multiple sources possess told BleepingComputer that the ShinyHunters cybercrime community is extorting the corporate.

BleepingComputer tried to study these claims with the threat actors, however they refused to observation.

Primarily based totally on sources, the threat actors are stressful a Bitcoin cost to discontinue the originate of older Salesforce files from a February 2025 breach and more moderen Zendesk files that became once stolen within the sizzling breach.

Grubhub makes exercise of Zendesk to energy its on-line pork up chat system, which gives pork up for orders, legend components, and billing.

Whereas it’s unclear when the breach came about, BleepingComputer became once told that it became once by secrets/credentials stolen within the sizzling Salesloft Drift files theft attacks.

In August, threat actors ragged stolen OAuth tokens for Salesloft’s Salesforce integration to habits a files theft campaign between August 8 and August 18, 2025.

Primarily based totally on a convey by Google’s Likelihood Intelligence staff (Mandiant), the stolen files became once then ragged to reap credentials and secrets to habits put collectively-up attacks on other platforms.

“GTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens,” experiences Google.

ShinyHunters claimed on the time to be within the serve of the breach, declaring they stole approximately 1.5 billion files records from the “Legend“, “Contact“, “Case“, “Alternative“, and “User” Salesforce object tables for 760 companies.

As threat actors proceed to abuse beforehand stolen Salesforce files to assemble put collectively-on attacks, organizations impacted by the Salesloft Drift breaches must rotate all affected access tokens and secrets as quickly as doable if they possess got now not already done so.