Grubhub has confirmed a new data breach involving its customer support systems, and a well-known cybercriminal group is reportedly demanding payment to prevent the data from leaking. The incident centers on information accessed from the company’s support platform, with the attackers believed to be linked to ShinyHunters, according to reporting from independent security researchers and breach trackers. Grubhub says it has contained the activity, engaged a third-party cybersecurity firm, and notified law enforcement.
The food delivery company indicated that financial data and order histories were not impacted, but it has not disclosed how many users were affected or the precise categories of information taken. Early indications suggest the intrusion involves chat and ticket data handled through a customer support vendor, a frequent target in recent supply chain-style attacks.
What Grubhub Says Was Accessed in the Breach
In a statement shared with security reporters, Grubhub said unauthorized individuals “downloaded data from certain systems,” adding that the company “quickly investigated, stopped the activity, and is taking steps to further increase our security posture.” The company emphasized that sensitive information such as financial details or order history was not affected, though support channels often contain names, emails, phone numbers, and case notes.
Because support conversations can include identity verification snippets and account-related context, even limited exposure can feed follow-on phishing or account takeover attempts. That risk is driving Grubhub’s collaboration with incident response specialists as it hardens access controls and reviews third-party integrations.
ShinyHunters’ extortion tactics and ransom claims
Researchers tracking the breach say the intruders are demanding payment in Bitcoin and threatening to publish data tied to more than one Grubhub-related incident. ShinyHunters has a long history of high-profile data thefts and leak-site extortion campaigns, and has previously claimed involvement in multi-company data exposures where stolen credentials or cloud-service tokens were a factor.
Law enforcement discourages ransom payments, noting there is no guarantee data will be deleted and that paying can encourage further attacks. The most recent FBI Internet Crime Complaint Center report recorded more than 880,000 cybercrime complaints and $12.5 billion in reported losses, with extortion and business email compromise among the most damaging categories—illustrating the scale and persistence of financially motivated attacks.
How attackers reportedly got in via support systems
The breach is tied to Grubhub’s use of a customer support platform, and investigators believe credentials or tokens stolen in a separate software compromise were leveraged to access those systems. This kind of daisy-chained intrusion is increasingly common: attackers harvest credentials from one cloud service, then pivot into another via single sign-on or connected apps with overlapping permissions.
Support platforms are particularly attractive because they aggregate user identifiers, communication history, and sometimes internal notes. Once inside, criminals can exfiltrate archives at scale, search for VIP accounts, and craft convincing impersonation attempts against both customers and staff.
Why customer support data matters for security
Even when payment data is not exposed, support records can be highly actionable. Chat transcripts and tickets may reveal partial addresses, email patterns, device types, and escalations—clues that help attackers validate targets and time social engineering. The latest Data Breach Investigations Report highlights the growth of pretexting against help desks and the role of stolen credentials in many system intrusions, underscoring the need to lock down these workflows.
For consumer platforms handling millions of orders, the compound risk spans customers, drivers, and restaurant partners. Compromise of any one group can ripple across the ecosystem, particularly if contact details are reused across services or passwords are recycled.
What customers should do now to protect accounts
- Watch for targeted phishing: Be skeptical of unsolicited messages claiming to be from delivery support, especially those requesting codes, refunds, or login resets. Navigate directly to the app rather than clicking links.
- Change your password and enable two-factor authentication on Grubhub and any accounts sharing the same credentials. Unique passwords and app-based 2FA significantly reduce takeover risk.
- Review your account for unexpected changes and verify past support interactions. If phone numbers or emails look unfamiliar, update your security settings immediately.
- Consider a password manager to eliminate reuse, and monitor financial statements for unusual charges even though Grubhub says payment data was not impacted.
The bigger picture for SaaS supply chains
This incident is another reminder that third-party and cloud-to-cloud connections are now prime entry points. Companies should audit which apps can access support and CRM data, rotate OAuth tokens, enforce least-privilege scopes, and deploy anomaly detection tuned for SaaS logins. Periodic tabletop exercises for help desk takeovers—covering revocation, data export throttles, and emergency MFA—can shrink the window of exposure.
Grubhub’s response will hinge on fast scoping, transparent notifications, and tightened partner controls. For customers, vigilance against social engineering remains the most effective defense while the full impact is assessed.