Phishing on the Menu: Hacker Hijacks Restaurant Emails to Extort HungerRush

It started with an unexpected email in the inboxes of restaurant-goers: a chilling threat, not from a scammer in some far-flung corner of the internet, but seemingly from the very company that manages their favorite pizza joint’s checkout system. This week, thousands of patrons from restaurants using HungerRush’s point-of-sale (POS) platform found themselves unwilling participants in a high-stakes cyber extortion drama - one that put both their data and their trust on the chopping block.

Fast Facts

• Hacker sent mass extortion emails to customers of restaurants using HungerRush’s POS system.
• Emails threatened to leak sensitive customer and restaurant data unless demands were met.
• Messages were authenticated and sent via HungerRush’s legitimate email infrastructure using Twilio SendGrid.
• Potential compromise may be linked to corporate credentials stolen via infostealer malware.
• HungerRush confirmed the incident and is working with law enforcement.

Inside the Extortion Campaign

The attack unfolded early Wednesday, when restaurant patrons began receiving ominous emails from addresses like support@hungerrush.com and 2019@hungerrush.com. The messages warned that unless HungerRush complied with the attacker’s demands, data belonging to “millions” of customers and restaurants would be exposed - including names, emails, passwords, addresses, phone numbers, dates of birth, and even credit card details.

What set these emails apart from run-of-the-mill phishing attempts was their authenticity: analysis showed they were delivered using Twilio SendGrid, a platform HungerRush legitimately uses to send customer receipts and notifications. The emails passed standard authentication checks (SPF, DKIM, and DMARC), making them nearly indistinguishable from real company communications. Recipients on Reddit quickly recognized the link to previous digital receipts from restaurants that use HungerRush’s ordering systems.

The source of the breach appears to be a compromised HungerRush employee account. Cybersecurity researcher Alon Gal pointed to infostealer malware that allegedly infected a HungerRush device in October 2025, capturing credentials for critical business services - ranging from payment processors like Stripe and Bill.com to customer management tools such as Salesforce and NetSuite. While it’s unclear if these stolen credentials are directly responsible for the current incident, the overlap raises troubling questions about internal security practices and the risk of supply chain attacks in the restaurant tech sector.

HungerRush, which boasts over 16,000 restaurant clients nationwide - including major chains like Sbarro and Hungry Howie’s - confirmed it is investigating the incident and cooperating with law enforcement. The company assured customers that protecting their data is a “top priority” and said it is working urgently to contain the threat and prevent further abuse.

Phishing Risks on the Rise

For now, experts urge anyone who has dined at a HungerRush-powered restaurant to be vigilant for follow-up phishing emails or SMS messages. Criminals may try to exploit stolen data to craft convincing scams, putting both personal information and payment details at risk. The breach highlights the cascading impacts of compromised business infrastructure - and serves as a stark reminder that when trusted digital channels are hijacked, every inbox becomes a potential front line in the cybercrime war.

WIKICROOK

• Point: A Point-of-Sale (POS) terminal is a device that merchants use to securely process card payments and manage sales transactions.
• Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.
• SPF, DKIM, DMARC: SPF, DKIM, and DMARC are protocols that authenticate emails, prevent spoofing, and verify the legitimacy of email senders.
• Infostealer Malware: Infostealer malware is malicious software that covertly gathers sensitive information, like passwords and financial data, from infected computers.
• Supply Chain Attack: A supply chain attack is a cyberattack that compromises trusted software or hardware providers, spreading malware or vulnerabilities to many organizations at once.