Quick Facts
| Detail | Info |
|---|---|
| Date Confirmed | January 16, 2026 |
| Threat Actor | ShinyHunters |
| Attack Vector | Stolen OAuth tokens (Salesloft/Drift integration) |
| Systems Affected | Salesforce (Feb 2025) and Zendesk (Jan 2026) |
| Risk Level | High (identity theft, targeted phishing) |
GrubHub just confirmed what security researchers suspected: hackers accessed their systems and downloaded company data. The food delivery giant is now reportedly facing extortion demands from ShinyHunters, one of the most active cybercrime groups operating today.
This is GrubHub's second major breach in less than a year. And the attackers know it. According to sources, ShinyHunters is leveraging both incidents, threatening to release older Salesforce data from the February 2025 breach alongside newer Zendesk records from this latest intrusion.
Two breaches. One ransom demand. That's the situation GrubHub is dealing with right now.
How the GrubHub Hack Happened
On January 16, 2026, GrubHub acknowledged that "unauthorized individuals recently downloaded data from certain Grubhub systems." The company claims they quickly contained the breach, brought in external cybersecurity experts, and notified law enforcement.
This breach traces back to the Salesloft Drift attacks from August 2025. During those attacks, hackers targeted what security professionals call "non-human identities," specifically the OAuth tokens that allow different software systems to communicate without human intervention.
Think of OAuth tokens as digital keys that let one application access another without needing a username and password. When Salesloft's Drift integration got compromised, attackers walked away with keys to hundreds of companies' Salesforce environments. GrubHub was one of them.
Here's the part that should concern you: these tokens bypass traditional login security entirely. It doesn't matter if you had a strong password or two-factor authentication enabled on your GrubHub account. The hackers didn't go through the front door. They used the service entrance that connected GrubHub's internal systems to Salesloft.
The attackers didn't stop at Salesforce. They also accessed GrubHub's Zendesk customer support platform, which handles order issues, account problems, and billing questions. If you've ever contacted GrubHub support, your information may have been in that system.
What Data Was Stolen in the GrubHub Breach
GrubHub's official statement says "sensitive information, such as financial information or order history, was not affected."
Historically, "no sensitive data" claims from breached companies often get revised once the full scope of an intrusion becomes clear. Zendesk breaches are particularly difficult to assess early because the data is unstructured. We're not talking about clean database rows. We're talking about chat logs, email threads, and support ticket contents.
Here's what that means for you: if you ever typed your address into a GrubHub support chat, emailed a screenshot of a receipt, or provided your phone number to resolve an order issue, that information likely exists in plaintext somewhere in their Zendesk environment. Unstructured data like this is often more dangerous for identity theft than structured database entries because it contains context that helps attackers craft convincing phishing messages.
Attackers often use these specific support details (like a complaint about a late pizza delivery to your address on 5th Ave) to impersonate customer service in follow-up phishing calls. When someone references a real interaction you had, your guard drops.
Here's what security researchers and sources say was exposed:
Structured Data (Database Records)
- Names
- Email addresses
- Phone numbers
- Partial payment card information (last four digits and card type)
- Hashed passwords from legacy systems
Unstructured Data (Zendesk Support System)
- Chat transcripts
- Email correspondence
- Ticket contents (potentially including addresses, order details, complaints)
An important distinction: GrubHub claims that passwords for current Marketplace accounts were not compromised. The exposed passwords came from "legacy systems," meaning older infrastructure that may have been connected to acquired companies or outdated platforms.
In early January 2026, hackers claimed to have obtained 17 million GrubHub passwords as part of the ongoing extortion campaign. Those legacy passwords were hashed using SHA1, a cryptographic method the security industry abandoned years ago. SHA1 is vulnerable to collision attacks, where attackers can generate matching hash values without knowing the original password. Modern GPU-powered cracking tools can break SHA1 hashes in hours or days, especially for weak or commonly used passwords.
Note: ShinyHunters typically releases "proof" files in waves to pressure victims. This situation may evolve. We'll update this article as new information becomes available.
If you've had a GrubHub account for years and never changed your password, there's a real chance your credentials are in that batch. Here's the critical question: if you used the same password for GrubHub in 2018 that you still use for your primary email today, you are at high risk. Change both immediately.
Who Is Behind the GrubHub Hack
ShinyHunters is reportedly extorting GrubHub, demanding Bitcoin payment to prevent the release of stolen data. This group has been behind breaches at Dynatrace, Cloudflare, Palo Alto Networks, and dozens of other companies connected to the Salesloft incident.
Their playbook is simple: steal data, threaten to leak it, demand ransom. No encryption, no ransomware. Just pure extortion.
The group may also be operating under pressure. Earlier this month, someone leaked the entire BreachForums database, exposing the identities of 324,000 users on the underground hacking forum where ShinyHunters operates. When threat actors face exposure, they often accelerate extortion timelines to cash out before law enforcement closes in. GrubHub may be caught in the middle of that urgency.
Why Third-Party Vendors Are the Real Security Risk
This breach didn't happen because GrubHub left their front door open. It happened because a third-party vendor's integration tool (Salesloft's Drift application) got compromised, and that compromise cascaded into GrubHub's systems months later.
The specific vulnerability? Non-human identities. These are the service accounts, API keys, and OAuth tokens that connect modern software systems. They don't have passwords you can change on a schedule. They don't support two-factor authentication. And when they get stolen, attackers can quietly access systems for months before anyone notices.
Google's Mandiant security team reported that the attackers specifically targeted AWS access keys, Snowflake tokens, and Salesforce login URLs. This wasn't a smash-and-grab. It was a methodical campaign to collect digital keys that would unlock doors later.
This pattern is becoming disturbingly common. JPMorgan just disclosed a breach that originated at a law firm. Pornhub got hit through Mixpanel. The attackers aren't breaking down walls anymore. They're walking through unlocked side doors.
GrubHub trusted Salesloft. Salesloft's Drift integration got breached. Now GrubHub customers pay the price.
What to Do If You Have a GrubHub Account
If you have a GrubHub account, assume your information was exposed. Here's your action plan:
1. Change your GrubHub password immediately
Don't reuse a password from another account. If your GrubHub password was the same as your email or banking password, change those too. Use at least 16 characters with a mix of uppercase, lowercase, numbers, and symbols. Generate a secure password here.
2. Check if your credentials have been leaked
Go to haveibeenpwned.com and enter your email address. This free tool shows if your information appeared in known data breaches.
3. Enable two-factor authentication everywhere you can
If GrubHub offers 2FA, turn it on. More importantly, enable it on your email account. Email is the master key to your digital life. If attackers get into your email, they can reset passwords on everything else. Learn how to set up 2FA.
4. Watch for phishing attempts
Hackers who have your name, email, phone number, and support ticket history can craft extremely convincing phishing messages. Expect fake "GrubHub security alert" emails and texts that reference real details from your account. Don't click links in messages. Go directly to the app or website instead. Learn how to spot phishing emails.
5. Monitor your payment methods
Even though GrubHub says full card numbers weren't stolen, partial card info combined with your other details makes social engineering attacks easier. Watch your statements for unfamiliar charges.
How This Breach Affects You Long-Term
GrubHub has 375,000 merchant partners and operates in over 4,000 US cities. Millions of people use this service. A breach this size affects a significant portion of the American population.
The data stolen in this breach won't disappear. It will circulate on underground forums for years. Attackers will use it for targeted phishing campaigns, credential stuffing attacks (trying your leaked password on other sites), and identity theft schemes.
Here's what frustrates me about this situation: it was preventable. After the Salesloft breach in August 2025, every company connected to that platform should have rotated their access tokens immediately. Google's Mandiant team warned about this exact scenario. Some companies acted. GrubHub apparently didn't move fast enough.
The lesson isn't complicated. Your security is only as strong as the weakest vendor in your chain. And you, the customer, have almost no visibility into which vendors a company uses or how well they're protected.
All you can control is your own password hygiene. Make it count.
Generate a secure password now →
FAQ: GrubHub Data Breach 2026
What was stolen in the GrubHub data breach?
Hackers accessed names, email addresses, phone numbers, partial payment card info (last four digits), and hashed passwords from legacy systems. They also obtained unstructured data from GrubHub's Zendesk support system, including chat logs and email correspondence. GrubHub claims current Marketplace passwords and full financial data were not affected.
What should I do if I have a GrubHub account?
Change your password immediately using a unique, 16+ character password. Check haveibeenpwned.com for leaked credentials. Enable two-factor authentication on GrubHub and your email account. Watch for phishing emails that may reference real details from your support history.
Who is behind the GrubHub hack?
The cybercrime group ShinyHunters is reportedly responsible. They are attempting to extort GrubHub by threatening to release data from both the February 2025 Salesforce breach and the January 2026 Zendesk breach.
Is my GrubHub password compromised?
If you created your account years ago and never changed your password, it may be among the 17 million legacy passwords reportedly obtained by hackers. These passwords were hashed with SHA1, which is considered insecure. Change your password immediately regardless.
How did hackers get into GrubHub's systems?
The breach originated from compromised OAuth tokens stolen during the Salesloft Drift attacks in August 2025. These tokens allowed attackers to access GrubHub's Salesforce and Zendesk environments without needing user credentials.
Last updated: January 18, 2026 at 2:45 PM EST
Sources: BleepingComputer, TechRadar, Cybernews, SecurityWeek, Google Mandiant