Grubhub Confirms Data Breach as ShinyHunters Extortion Demands Surface
Grubhub has acknowledged a recent data breach after hackers accessed its systems, with sources indicating the company is now facing extortion demands from the ShinyHunters cybercrime group. The food delivery platform confirmed unauthorized access but stated that sensitive data, including financial information and order history, was not compromised.
While Grubhub did not disclose the breach’s timing or whether customer data was involved, it confirmed collaboration with a third-party cybersecurity firm and law enforcement. The incident follows a separate wave of scam emails sent from Grubhub’s b.grubhub.com subdomain last month, promoting a cryptocurrency scam though it remains unclear if the two events are connected.
Sources told BleepingComputer that ShinyHunters is demanding a Bitcoin payment to prevent the release of stolen data, including older Salesforce records from a February 2025 breach and newer Zendesk data accessed in the recent incident. Grubhub uses Zendesk for customer support, handling orders, account issues, and billing.
The breach is believed to stem from credentials stolen during the August 2025 Salesloft Drift attacks, where threat actors exploited stolen OAuth tokens to compromise Salesforce integrations. Google’s Mandiant reported that the stolen data including AWS keys, passwords, and Snowflake tokens was later used in follow-up attacks. ShinyHunters previously claimed responsibility for the Salesloft breach, alleging the theft of 1.5 billion records from 760 companies.
As cybercriminals continue leveraging stolen Salesforce data for secondary attacks, organizations affected by the Salesloft Drift breaches have been urged to rotate exposed credentials and access tokens.
Grubhub cybersecurity rating report: https://www.rankiteo.com/company/grubhub-seamless
"id": "GRU1768515503",
"linkid": "grubhub-seamless",
"type": "Breach",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Food & Beverage, E-commerce',
'name': 'Grubhub',
'type': 'Food Delivery Platform'}],
'attack_vector': 'Stolen credentials/secrets from Salesloft Drift data theft '
'attacks',
'customer_advisories': 'Limited public statement confirming breach, no '
'detailed customer advisory',
'data_breach': {'data_exfiltration': 'Yes',
'sensitivity_of_data': 'Non-sensitive (financial information '
'and order history not affected)',
'type_of_data_compromised': ['Salesforce data',
'Zendesk data']},
'description': 'Grubhub confirmed a data breach after hackers accessed its '
'systems, with sources indicating the company is facing '
'extortion demands. The threat actors, identified as '
'ShinyHunters, are demanding a Bitcoin payment to prevent the '
'release of older Salesforce data from a February 2025 breach '
'and newer Zendesk data stolen in the recent breach. Grubhub '
'stated that sensitive information like financial details or '
'order history was not affected.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'data breach and extortion',
'data_compromised': 'Salesforce data (February 2025), Zendesk data '
'(recent breach)',
'payment_information_risk': 'None (sensitive financial information '
'not affected)',
'systems_affected': 'Zendesk support chat system, Salesforce '
'integration'},
'initial_access_broker': {'entry_point': 'Stolen OAuth tokens from Salesloft '
'Drift breach'},
'investigation_status': 'Ongoing',
'motivation': 'Extortion, Financial Gain',
'post_incident_analysis': {'corrective_actions': 'Rotate affected access '
'tokens and secrets, enhance '
'security posture',
'root_causes': 'Stolen credentials/secrets from '
'Salesloft Drift data theft '
'attacks, inadequate rotation of '
'access tokens'},
'ransomware': {'data_exfiltration': 'Yes',
'ransom_demanded': 'Bitcoin payment'},
'recommendations': 'Rotate all affected access tokens and secrets, enhance '
'monitoring for stolen credentials, improve incident '
'response communication',
'references': [{'source': 'BleepingComputer'},
{'source': 'Google Threat Intelligence (Mandiant)'}],
'response': {'communication_strategy': 'Limited public disclosure, no further '
'details provided',
'containment_measures': 'Stopped unauthorized access, increased '
'security posture',
'incident_response_plan_activated': 'Yes',
'law_enforcement_notified': 'Yes',
'third_party_assistance': 'Yes (cybersecurity firm)'},
'threat_actor': 'ShinyHunters',
'title': 'Grubhub Data Breach and Extortion by ShinyHunters',
'type': 'Data Breach, Extortion',
'vulnerability_exploited': "Stolen OAuth tokens for Salesloft's Salesforce "
'integration, compromised credentials/secrets'}