Grubhub Confirms Internal Data Breach Amid Extortion Threat

Grubhub has confirmed that "unauthorized individuals" accessed and downloaded data from some of its internal systems, and says it has hired a third‑party cybersecurity firm and notified law enforcement after detecting and stopping the activity. The company told BleepingComputer that payment data and order history were not affected but declined to say when the breach occurred, what customer information was accessed, or whether it is being extorted. Sources quoted in the report attribute the intrusion to the ShinyHunters hacking group, which is allegedly demanding Bitcoin to avoid leaking data said to include older Salesforce records from a February 2025 incident and newer Zendesk customer‑support records from the latest breach. Investigators believe attackers may have reused credentials and tokens stolen in last year’s Salesloft/Salesforce 'Drift' campaign, which Mandiant has tied to widespread theft of cloud access keys from hundreds of companies. Security experts note that even support‑system data such as names, emails and account notes can fuel targeted phishing and identity scams, and the case is feeding social‑media criticism that corporate breach disclosures often understate risk when upstream SaaS providers are compromised.