Pierluigi Paganini
February 05, 2025
This week the online food ordering and delivery firm GrubHub disclosed a data breach that exposed customer and driver information.
Recently, the company detected an anomalous activity within its infrastructure, then it launched an investigation into the attack with the help of leading forensic experts.
The investigation revealed that attackers had compromised an account associated with a third-party provider of support services. Then GrubHub locked out the attackers and removed the hacked account.
“We recently detected unusual activity within our environment traced to a third-party service provider for our Support Team. Upon discovery, we promptly launched an investigation, identifying unauthorized access to an account associated with this provider.” reads a notice of data breach published by the company on its website. “We immediately terminated the account’s access and removed the service provider from our systems altogether.”
Compromised data include names, emails, phone numbers, partial card info for some campus diners, and hashed passwords from legacy systems. The company reset affected passwords.
The unauthorized party also accessed hashed passwords for certain legacy systems, and we proactively rotated any passwords that we believed might have been at risk. While the threat actor did not access any passwords associated with Grubhub Marketplace accounts, as always, we encourage customers to use unique passwords to minimize risk.
The food ordering and delivery firm confirmed that attackers did not access any passwords associated with Grubhub Marketplace accounts, however, they recommend customers to use unique passwords to minimize risk.
The data breach did not expose passwords, merchant logins, full card numbers, bank details, or Social Security numbers.
GrubHub has not disclosed whether it was targeted by a ransomware attack, and as of this writing, no known ransomware group has claimed responsibility.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data breach)
