Grubhub has officially acknowledged a security incident where unauthorized actors accessed and exfiltrated data from internal systems, marking another high-profile breach in early 2026. The company acted swiftly to contain the activity, but questions linger about the full scope and customer impact.
Incident Timeline and Attribution
The breach surfaced publicly around January 14, 2026, with Grubhub confirming unauthorized downloads from select systems. Security researchers link it to the ShinyHunters group, who exploited credentials stolen in a 2025 Salesforce/Salesloft Drift attack, targeting both older Salesforce records and newer Zendesk customer support data.This follows a pattern of OAuth token abuse enabling lateral movement across platforms.
Data Compromise and Risks
Grubhub states no sensitive customer data like financial details or order histories were affected. However, the stolen information likely includes Zendesk chat logs, potentially exposing names, emails, phone numbers, partial payment details, and hashed credentials—valuable for phishing or identity theft.ShinyHunters reportedly demanded Bitcoin ransom, threatening to release the data.
Grubhub’s Response and Lessons
Upon detection, Grubhub investigated with a third-party firm, notified law enforcement, and enhanced security measures.No specific breach dates, affected user counts, or notifications were disclosed.For cybersecurity pros tracking threats, this underscores third-party risks (Salesforce/Zendesk), credential hygiene, and OAuth token rotation—key for vulnerability management and incident response playbooks.
Recommendations for Users and Orgs
- Monitor accounts for phishing; enable MFA on support portals.
- Organizations: Audit third-party OAuth integrations and legacy API endpoints.
- Track ShinyHunters IOCs via threat intel feeds for proactive defense.
