Grubhub Confirms Data Breach Amid Extortion Demands by ShinyHunters
Grubhub has acknowledged a recent data breach after hackers accessed its systems, with sources indicating the company is now facing extortion demands. The food delivery platform confirmed unauthorized access but stated that sensitive data such as financial information or order history remained unaffected.
While Grubhub declined to provide further details, including the breach timeline or whether customer data was compromised, it confirmed collaboration with a third-party cybersecurity firm and law enforcement. Multiple sources identified the ShinyHunters cybercrime group as the likely perpetrators, though the threat actors refused to comment when contacted.
The extortion demands reportedly involve Bitcoin payments to prevent the release of stolen data, including older Salesforce records from a February 2025 breach and newer Zendesk data accessed in the recent incident. Grubhub uses Zendesk for its customer support chat system, which handles orders, account issues, and billing.
The breach appears linked to credentials stolen during the August 2025 Salesloft Drift attacks, where threat actors exploited stolen OAuth tokens to compromise Salesforce integrations. Google’s Mandiant reported that the stolen data including AWS access keys, passwords, and Snowflake tokens was later used in follow-up attacks. ShinyHunters previously claimed responsibility for the Salesloft breach, alleging the theft of 1.5 billion records from 760 companies.
This incident follows a separate wave of scam emails sent from Grubhub’s b.grubhub.com subdomain last month, promoting a cryptocurrency scam. While Grubhub stated it contained the issue, it remains unclear whether the two events are connected.
Grubhub TPRM report: https://www.rankiteo.com/company/grubhub-seamless
"id": "gru1768529823",
"linkid": "grubhub-seamless",
"type": "Breach",
"date": "2/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Food Delivery',
'name': 'Grubhub',
'type': 'Company'}],
'attack_vector': 'Stolen credentials (OAuth tokens, AWS access keys, '
'passwords, Snowflake tokens)',
'data_breach': {'data_exfiltration': 'Yes (threatened for extortion)',
'sensitivity_of_data': 'Non-sensitive (financial information '
'and order history unaffected)',
'type_of_data_compromised': ['Salesforce records',
'Zendesk customer support data']},
'description': 'Grubhub confirmed a data breach after hackers accessed its '
'systems, facing extortion demands. The company stated that '
'sensitive data such as financial information or order history '
'remained unaffected. The breach is linked to stolen '
'credentials from the August 2025 Salesloft Drift attacks and '
'involves older Salesforce records and newer Zendesk data.',
'impact': {'data_compromised': 'Salesforce records (February 2025), Zendesk '
'data (recent incident)',
'payment_information_risk': 'None (sensitive financial data '
'unaffected)',
'systems_affected': ['Zendesk customer support chat system',
'Salesforce integrations']},
'initial_access_broker': {'entry_point': 'Stolen credentials from Salesloft '
'Drift attacks (August 2025)'},
'investigation_status': 'Ongoing',
'motivation': 'Extortion (Bitcoin payments to prevent data release)',
'post_incident_analysis': {'root_causes': 'Stolen OAuth tokens, AWS access '
'keys, passwords, and Snowflake '
'tokens from Salesloft breach'},
'ransomware': {'data_exfiltration': 'Yes',
'ransom_demanded': 'Bitcoin payments'},
'references': [{'source': 'Cybersecurity report'}],
'response': {'incident_response_plan_activated': 'Yes',
'law_enforcement_notified': 'Yes',
'third_party_assistance': 'Yes (cybersecurity firm)'},
'threat_actor': 'ShinyHunters',
'title': 'Grubhub Data Breach Amid Extortion Demands by ShinyHunters',
'type': 'Data Breach',
'vulnerability_exploited': 'Compromised Salesforce integrations, Zendesk '
'customer support system'}