Your Friday night pizza order just got a lot more complicated. Grubhub, the food delivery giant that’s handled millions of hungry customers’ personal details, is now dealing with hackers who reportedly want to get paid—or else.
The company, in a statement to BleepingComputer, confirmed a recent data breach after unauthorized actors accessed parts of its internal systems. The intrusion has since been contained. Grubhub is now taking additional steps to strengthen its security and claims that sensitive information, such as financial details and order history, was not affected.
The company did not disclose when the breach occurred, whether customer data was involved, or whether it is currently facing extortion attempts, revealing only that it has brought in a third-party cybersecurity firm and notified law enforcement.
Pattern of Problems
Last month, Grubhub was linked to scam emails sent from its own b.grubhub.com subdomain. Those emails promoted a cryptocurrency scheme promising high returns. Grubhub insisted at the time that the incident was contained and that further unauthorized messages were blocked. Whether the two incidents are related remains unclear.
The breach is reportedly connected to the hacking group ShinyHunters, which is demanding payment in bitcoin to prevent the release of stolen data that includes older Salesforce records tied to a February 2025 breach, along with newer data taken from Zendesk systems during the latest intrusion.
For the uninitiated, Grubhub uses Zendesk for customer support, including account access, billing questions, and order issues.
How the Hackers Got In
The current breach is believed to stem from credentials stolen during an August 2025 attack on Salesloft and Drift systems.
According to Google’s Threat Intelligence Group, hackers stole OAuth tokens connected to Salesforce integrations during that ten-day campaign, then used them to target multiple companies. ShinyHunters claimed responsibility for those attacks, saying they compromised approximately 1.5 billion Salesforce records from 760 organizations.
Even when payment information is not affected, support systems like Zendesk can contain names, email addresses, and internal account notes. In breach scenarios like this, such data becomes fuel for phishing and identity scams, while unrotated credentials often enable follow-on attacks.
Grubhub has not said whether it plans to notify affected users, leaving customers in the dark about whether their personal information was among the stolen data.
Sources: Cyberguy, BleepingComputer, Fox News