Exclusive: Grubhub, a popular food delivery platform, has acknowledged a recent data breach where hackers gained unauthorized access to its systems. Sources have revealed that the company is now being targeted with extortion demands, as reported by BleepingComputer.

“We’re aware of unauthorized individuals who recently downloaded data from certain Grubhub systems,” stated Grubhub in response to the breach.

The company promptly launched an investigation, halted the unauthorized activity, and is implementing additional security measures to enhance its overall security posture. Notably, sensitive information such as financial details or order history remains unaffected by the breach.

Despite the breach, Grubhub declined to provide further details, including the timeline of the incident, the involvement of customer data, or the extortion demands they are facing.

However, the company has engaged a third-party cybersecurity firm and has informed law enforcement authorities regarding the breach.

In a separate incident last month, Grubhub was associated with a series of fraudulent emails originating from its subdomain b.grubhub.com. The emails promoted a cryptocurrency scam promising significant returns on Bitcoin payments. Grubhub addressed the issue at that time but refrained from elaborating further on the matter.

It remains uncertain whether the recent breach and the email scam are interconnected.

Extortion by Cybercriminals

While Grubhub has chosen not to disclose additional information, sources have disclosed to BleepingComputer that the ShinyHunters cybercrime group is behind the extortion attempts targeting the company.

Efforts to verify these claims with the threat actors were unsuccessful as they declined to comment.

According to insider information, the cybercriminals are demanding a ransom in Bitcoin to prevent the release of older Salesforce data from a breach in February 2025 and more recent Zendesk data obtained during the recent security incident.

Grubhub utilizes Zendesk for its online support chat system, catering to order assistance, account-related queries, and billing support.

Although the exact timing of the breach is unclear, sources indicate that it may have been facilitated by secrets and credentials pilfered during the Salesloft Drift data theft attacks.

In a previous incident in August, threat actors exploited stolen OAuth tokens linked to Salesloft’s Salesforce integration to perpetrate a data theft operation between August 8 and August 18, 2025.

Google’s Threat Intelligence team (Mandiant) highlighted that the stolen data was leveraged to acquire credentials and secrets for subsequent attacks on other platforms.

ShinyHunters, claiming responsibility for the breach, disclosed that they had accessed approximately 1.5 billion data records from various Salesforce object tables for 760 companies, including “Account,” “Contact,” “Case,” “Opportunity,” and “User.”

As threat actors continue to misuse previously compromised Salesforce data for follow-up attacks, organizations impacted by the Salesloft Drift breaches are urged to promptly rotate all affected access tokens and secrets to mitigate risks.

It’s budget season! Over 300 CISOs and security leaders have shared insights on their planning, spending, and priorities for the upcoming year. Gain valuable insights, benchmark strategies, and identify emerging trends as you prepare for 2026.

Discover how industry leaders are translating investments into tangible outcomes.

Download Now