Article Details
Scrape Timestamp (UTC): 2025-02-04 09:29:19.522
Original Article Text
Click to Toggle View
GrubHub data breach impacts customers, drivers, and merchants. Food delivery company GrubHub disclosed a data breach impacting the personal information of an undisclosed number of customers, merchants, and drivers after attackers breached its systems using a service provider account. "Our investigation found that the intrusion originated with an account belonging to a third-party service provider that provided support services to Grubhub," the company said on Monday. "We immediately terminated the account’s access and removed the service provider from our systems altogether." In response to this incident, the company hired external forensic experts to assess the breach's impact, rotated passwords to prevent further unauthorized access, and added additional anomaly detection mechanisms across its internal services. The follow-up investigation found no evidence that the attackers accessed other sensitive personal and financial information, including Grubhub Marketplace customer passwords, merchant login information, full payment card numbers, bank account details, Social Security numbers, or driver's license numbers. However, GrubHub said that, depending on the affected individual, the attackers gained access to names, email addresses, and phone numbers, as well as partial payment card information (including card type and last four digits of the card number) for some campus diners. "The unauthorized individual accessed contact information of campus diners, as well as diners, merchants and drivers who interacted with our customer care service," GrubHub said. "The unauthorized party also accessed hashed passwords for certain legacy systems, and we proactively rotated any passwords that we believed might have been at risk. While the attackers didn't access Grubhub Marketplace account passwords, the company urged customers to always use unique passwords to minimize risks. A Grubhub spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today. Grubhub is a food-ordering and delivery platform with more than 375,000 merchants and 200,000 delivery partners in over 4,000 cities nationwide.
Daily Brief Summary
GrubHub disclosed a data breach affecting customers, merchants, and drivers, originating from a compromised third-party service provider account.
The breach exposed names, email addresses, phone numbers, and partial payment card details of certain individuals.
GrubHub terminated the compromised service provider's account, enhanced security, and hired forensic experts to investigate the breach.
No evidence was found that sensitive data such as Social Security numbers or full payment card details were accessed.
Following the breach, GrubHub implemented additional security measures including password rotations and anomaly detection mechanisms.
Affected data included hashed passwords of certain legacy systems; GrubHub has since rotated potentially impacted passwords.
The company urged all users to employ unique passwords across platforms to reduce security risks.
GrubHub supports over 375,000 merchants and 200,000 delivery partners across more than 4,000 cities.