Hackers used stolen password to steal customer data from GrubHub's network

American food delivery company GrubHub said it suffered a cyber security incident that compromised the sensitive personal information of its customers.

 

In a data security incident notice posted on its website, GrubHub said it recently learned that threat actors had infiltrated the internal network of one of its third-party service providers that provided services to its support team.

 

The company immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident. It also took steps to contain the incident and notified relevant law enforcement authorities about the same.

 

The investigation revealed that the threat actors gained unauthorised access using an account associated with the service provider that GrubHub used for support services.

 

“We immediately terminated the account’s access and removed the service provider from our systems altogether,” reads the notice. “The unauthorised individual accessed contact information of campus diners, as well as diners, merchants and drivers who interacted with our customer care service.”

 

The compromised data included customers’ names, email addresses, phone numbers, partial payment card information for a subset of campus diners (card type and last four digits of the card number) and hashed passwords for certain legacy systems.

 

“While the threat actor did not access any passwords associated with GrubHub Marketplace accounts, as always, we encourage customers to use unique passwords to minimize risk,” the food delivery platform added.

 

GrubHub has assured its customers that Grubhub marketplace customer passwords, merchant login information, full payment card numbers, bank account details and Social Security or driver’s license numbers were not accessed during the incident.

 

At the time of publishing, no known hacker group has claimed responsibility for the cyber attack on GrubHub. The company is also yet to share if it has been able to establish the identity of the hackers.