Grubhub hacked: Customer data and merchant details exposed in major security breach

Grubhub has confirmed a data breach that exposed user and merchant information after attackers gained access through a third-party service provider. The company hasn’t disclosed how many people were affected but acknowledged that personal details were compromised.

“Our investigation found that the intrusion originated with an account belonging to a third-party service provider that provided support services to Grubhub,” the company said in a statement on Monday. 

The breach adds to a growing list of recent cyberattacks, including one on the U.S. Department of Treasury, where hackers gained access to sensitive government documents.

What Happened?

Grubhub traced the breach to an account linked to a third-party contractor providing support services. Once the issue was detected, the company revoked access and severed ties with the provider.

“We recently detected unusual activity within our environment traced to a third-party service provider for our Support Team. Upon discovery, we promptly launched an investigation, identifying unauthorized access to an account associated with this provider. We immediately terminated the account’s access and removed the service provider from our systems altogether,” Gruhub said.

What Data Was Exposed?

The attackers got their hands on names, email addresses, and phone numbers. Some campus diners had parts of their payment card details—specifically the card type and last four digits—exposed.

Old internal systems were also compromised, allowing access to hashed passwords. Grubhub rotated any passwords that could have been at risk and reassured users that Marketplace account passwords were not affected.

How Grubhub Responded

Following the breach, Grubhub brought in forensic experts to investigate the incident and added extra security measures to detect suspicious activity. The company says the situation is now under control.

The review found no evidence that attackers accessed financial or highly sensitive personal data, such as merchant login credentials, full payment card details, bank accounts, Social Security numbers, or driver’s license information.

However, the breach did expose names, email addresses, and phone numbers. Some campus diners also had partial payment card details leaked, including the card type and last four digits. Grubhub advised users to use unique passwords as a general security measure.

“The unauthorized individual accessed contact information of campus diners, as well as diners, merchants, and drivers who interacted with our customer care service,” Grubhub said.

Grubhub’s Recent Troubles

Founded in 2004 by Jason Finger, Matt Maloney, and Mike Evans, the Chicago-based Grubhub is an online and mobile food ordering and delivery marketplace dedicated to connecting diners with local restaurants.

Grubhub serves over 33 million customers, working with 375,000 merchants and 200,000 delivery drivers across 4,000 cities. The breach comes just months after the company settled an FTC case for $25 million over misleading pricing and deceptive practices.

Adding to its turbulent year, Grubhub was recently sold by Just Eat Takeaway.com to Wonder Group in a $7 billion mega-deal.