Unique: Meals supply platform Grubhub has confirmed a current data breach after hackers accessed its techniques, with sources telling BleepingComputer the corporate is now dealing with extortion calls for.
“We’re conscious of unauthorized people who lately downloaded information from sure Grubhub techniques,” Grubhub instructed BleepingComputer.
“We rapidly investigated, stopped the exercise, and are taking steps to additional enhance our security posture. Delicate data, reminiscent of monetary data or order historical past, was not affected.”
Grubhub wouldn’t reply to any additional questions concerning the breach, together with when it occurred, whether or not buyer information was concerned, or in the event that they had been being extorted.
Nevertheless, the corporate confirmed that it’s working with a third-party cybersecurity agency and has notified regulation enforcement.
Final month, Grubhub was additionally linked to a wave of rip-off emails despatched from its b.grubhub.com subdomain that promoted a cryptocurrency rip-off promising a tenfold return on Bitcoin funds.
Grubhub mentioned on the time that it contained the difficulty and took steps to forestall additional unauthorized messages, however wouldn’t reply additional questions associated to the incident.
It’s unclear if the 2 incidents are related.
Extorted by hackers
Whereas Grubhub wouldn’t share additional particulars, a number of sources have instructed BleepingComputer that the ShinyHunters cybercrime group is extorting the corporate.
BleepingComputer tried to confirm these claims with the menace actors, however they refused to remark.
In accordance with sources, the menace actors are demanding a Bitcoin fee to forestall the discharge of older Salesforce information from a February 2025 breach and newer Zendesk information that was stolen within the current breach.
Grubhub makes use of Zendesk to energy its on-line help chat system, which gives help for orders, account points, and billing.
Whereas it’s unclear when the breach occurred, BleepingComputer was instructed that it was via secrets and techniques/credentials stolen within the current Salesloft Drift information theft assaults.
In August, menace actors used stolen OAuth tokens for Salesloft’s Salesforce integration to conduct an information theft marketing campaign between August 8 and August 18, 2025.
In accordance with a report by Google’s Menace Intelligence crew (Mandiant), the stolen information was then used to reap credentials and secrets and techniques to conduct follow-up assaults on different platforms.
“GTIG noticed UNC6395 focusing on delicate credentials reminiscent of Amazon Net Companies (AWS) entry keys (AKIA), passwords, and Snowflake-related entry tokens,” reviews Google.
ShinyHunters claimed on the time to be behind the breach, stating they stole roughly 1.5 billion information information from the “Account”, “Contact”, “Case”, “Alternative”, and “Person” Salesforce object tables for 760 firms.
As menace actors proceed to abuse beforehand stolen Salesforce information to hold out follow-on assaults, organizations impacted by the Salesloft Drift breaches should rotate all affected entry tokens and secrets and techniques as quickly as doable in the event that they haven’t already finished so.
As MCP (Mannequin Context Protocol) turns into the usual for connecting LLMs to instruments and information, security groups are transferring quick to maintain these new companies protected.
This free cheat sheet outlines 7 greatest practices you can begin utilizing immediately.
