Grubhub confirms data breach as hackers download internal data and issue extortion threats

Food delivery platform Grubhub confirmed that unauthorized actors recently accessed parts of its internal systems and downloaded data, prompting an investigation and heightened security measures as the company faces extortion demands tied to the incident.

Grubhub said it identified and stopped the unauthorized activity after detecting the data download from certain systems. The company stated that it moved quickly to investigate the intrusion and is taking additional steps to strengthen its security posture. Grubhub said sensitive information such as financial data and customer order history was not affected.

The company did not disclose when the breach occurred or specify what categories of data were accessed. It also declined to confirm whether customer information was involved or whether it is currently being extorted. Grubhub said it is working with a third-party cybersecurity firm and has notified law enforcement.

The disclosure follows a separate incident last month in which Grubhub was linked to a wave of scam emails sent from its b.grubhub.com subdomain that promoted a cryptocurrency scheme promising large returns on Bitcoin payments. Grubhub said at the time that it contained the issue and implemented measures to prevent further unauthorized messages. The company did not provide additional details, and it remains unclear whether the two incidents are related.

Multiple sources familiar with the matter said the ShinyHunters cybercrime group is attempting to extort Grubhub. The alleged demands involve payment in Bitcoin to prevent the release of data tied to two separate platforms. The data reportedly includes older Salesforce records associated with a February 2025 incident and more recent Zendesk data obtained during the latest breach. Grubhub uses Zendesk to operate its online customer support chat system for orders, account issues, and billing.

The timing and initial access vector of the breach have not been publicly confirmed. Sources said the compromise is believed to be connected to credentials and secrets stolen during recent Salesloft Drift data theft attacks. In August 2025, threat actors used stolen OAuth tokens associated with Salesloft’s Salesforce integration to carry out a data theft campaign between Aug. 8 and Aug. 18, 2025. The stolen information was later leveraged to harvest additional credentials and secrets for follow-on attacks across other platforms.

Security researchers have documented that the attackers targeted cloud access keys, passwords, and other authentication tokens to expand their access. ShinyHunters previously claimed responsibility for the Salesforce-related campaign, stating that data from approximately 1.5 billion records across hundreds of organizations was taken from multiple Salesforce object tables.