Extortion at the Door: Grubhub Hit by Cybercriminals in Sophisticated Data Heist

It began quietly - a breach in the digital kitchens of Grubhub, one of America’s most popular food delivery platforms. But as investigators dig deeper, the latest hack reveals a tangled web of cybercrime, extortion, and lingering vulnerabilities that reach far beyond one company’s menu.

Fast Facts

• Grubhub confirmed hackers accessed and stole data from its systems in a recent breach.
• The ShinyHunters cybercrime group is reportedly extorting Grubhub, demanding Bitcoin to prevent data leaks.
• Stolen data includes older Salesforce records and new Zendesk support information.
• The breach may be linked to a wider campaign exploiting stolen credentials from Salesloft Drift attacks.
• Grubhub is working with cybersecurity experts and law enforcement, but has not disclosed full details.

For Grubhub, the cyberattack is more than a technical hiccup - it's a crisis that exposes the vulnerabilities of companies dependent on third-party cloud platforms. Sources confirm the company is now being extorted by the notorious ShinyHunters gang, with hackers threatening to release sensitive Salesforce and Zendesk data unless they are paid in Bitcoin.

While Grubhub insists that no financial details or order histories were compromised, the scope of the breach remains unclear. The attackers reportedly gained access via credentials stolen in earlier Salesloft Drift data thefts - a campaign that, according to Google’s Mandiant team, targeted hundreds of companies by harvesting sensitive cloud credentials such as AWS keys and passwords. By leveraging OAuth tokens and exploiting integration points between platforms like Salesforce, Zendesk, and Salesloft, the hackers were able to move laterally and access troves of customer support data.

This is not Grubhub’s first brush with cyber trouble. Just last month, its subdomain was hijacked to send scam emails promoting a cryptocurrency scheme. The company claims to have contained that incident, but would not clarify if the two attacks are connected.

Experts warn that the fallout could be significant. Zendesk, used by Grubhub to manage support chats and billing issues, often contains identifying customer information. If released, this data could be exploited for phishing, identity theft, or further extortion campaigns. The breach also highlights the ongoing risks posed by credential theft and the importance of rotating access tokens after such incidents - a step many organizations delay at their peril.

Grubhub says it’s working closely with a third-party cybersecurity firm and law enforcement, but has remained tight-lipped about the specifics, including the timeline of the breach and the amount demanded by the hackers. Meanwhile, the ShinyHunters group - already infamous for high-profile data heists - remains silent, their Bitcoin wallet waiting.

As the investigation unfolds, the Grubhub breach serves as a stark reminder: in the interconnected world of cloud platforms and third-party services, a single stolen credential can open the door to a feast for cybercriminals - and a nightmare for everyone else.

WIKICROOK

• OAuth token: An OAuth token is a digital key that lets apps securely access your data without needing your password each time.
• Salesforce: Salesforce is a leading cloud-based CRM platform for managing customer data, making it a frequent target for cyberattacks due to its valuable information.
• Zendesk: Zendesk is a cloud-based support system for managing customer service tickets, live chats, and billing inquiries in one platform.
• Access key (AWS): An AWS access key is a credential pair (ID and secret) used to securely authenticate and access AWS resources programmatically.
• Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.