Grubhub confirms data breach: hackers demand ransom tied to Salesforce attacks

Published: 17 January 2026
Last updated: 17 January 2026
Grubhub food delivery
Image by Alena Veasey | Shutterstock

Grubhub confirms it's been hacked after unauthorized actors gain access to internal systems. Now sources say the company is facing extortion demands – rumored to be connected to the infamous Shiny Hunters Salesforce attack campaign.

Key takeaways:
  • Grubhub confirmed hackers accessed internal systems but says customer financial data and order history were not affected.
  • Sources claim ShinyHunters is attempting to extort the company by threatening to leak Salesforce and Zendesk data.
  • Security experts warn stolen OAuth tokens can allow attackers to quietly breach companies months after the original hack.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.

The food delivery giant acknowledged the breach in a statement sent to Bleeping Computer, which first reported the breach on Friday.

ADVERTISEMENT

Grubhub said that the attackers “recently downloaded data from certain Grubhub systems,” but claimed that financial information and customer order history were not affected.

The company also stated it moved quickly to contain the activity and is now working with a third-party cybersecurity firm while coordinating with law enforcement.

Beyond that confirmation, the company declined to answer follow-up questions regarding when the breach occurred, whether customer records were exposed, or whether any ransom demands were made.

Salesforce data leak
Image by Cybernews.

Shiny Hunters threatening to leak data

Sources familiar with the incident told Bleeping Computer that the notorious cybercrime group ShinyHunters is attempting to extort Grubhub by threatening to leak stolen data.

According to the report, the extortionists are demanding payment in Bitcoin to prevent the release of older Salesforce data tied to a February 2025 breach, along with newer records allegedly taken from Grubhub’s Zendesk customer support platform.

It remains unclear exactly when the latest intrusion occurred, but investigators believe it stems from OAuth tokens stolen during the Salesloft Drift breach campaign that unfolded last summer.

ADVERTISEMENT
SalesLoft Drift
Image by Cybernews.

The attacks targeting the Salesforce marketing application enabled large-scale data theft across hundreds of organizations, including big names ranging from Jaguar Land Rover, Gucci, and Chanel to Cisco Systems, and Google.

ShinyHunters previously claimed responsibility for that campaign, alleging the theft of approximately 1.5 billion records spanning Salesforce “Account,” “Contact,” “Case,” “Opportunity,” and “User” tables across more than 700 companies, the tech media outlet reports.

At the time, the Google Threat Intelligence Group (GTIG) had advised “all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.”

Grubhub has confirmed that it believes the breach is connected to that same attack chain.

Salesforce hackers
Image by Cybernews.

Delayed exploitation increasingly common

Cory Michal, CSO at SaaS security company AppOmni, told Cybernews the Grubhub case highlights the “long tail” impact of token theft campaigns.

“It's not surprising we're seeing the ‘long tail’ of a campaign where the actor's initial breach activity yielded a large cache of OAuth integration tokens providing them pre-authenticated access into many SaaS tenants at scale,” Michal said.

“Once that kind of access is in hand, attackers don't need to ‘re-break in’ everywhere; they can work through the inventory over time, selectively pivoting into high-value organizations, chaining access into supply-chain style compromises, and then monetizing in waves via data theft, extortion, and ransomware,” he said.

ADVERTISEMENT
salesforce-attack-flow
Image by AppOmni.

Michal says the “delayed exploitation” model explains why new victims continue to surface months after the original breach window has closed.

“Even with several details still unconfirmed, what stands out is the way this appears to leverage OAuth tokens and service/integration identities, a blind spot for many organizations that have invested heavily in ‘identity hardening’ and multi-factor authentication (MFA) for human users,” he said.

“Those tokens often operate as bearer credentials: if an attacker obtains them, they can be used as a single-factor access method to act as the integration without triggering an interactive login or MFA challenge.”

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Michal warned that organizations must rethink how they manage non-human identities and SaaS integrations.

“Organizations need to go beyond ‘classic’ third-party vendor reviews and actually inventory and audit the integrations running in their SaaS environments,” he said. “Most teams have far more integrations than they realize, and many retain broad privileges long after the original business need.”

Grubhub has not confirmed whether ransom negotiations are ongoing.

Unlock more exclusive Cybernews content on YouTube.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Meta has quietly shipped the technology needed for facial recognition glasses
Hackers getting an easy ride: misconfigured cloud settings behind growing number of data breaches
Anthropic claims AI is too fast and needs to hit the brakes: let’s take it with a pinch of salt
US lawmakers push new bill on AI safety, state law limits, worker protections
Pewdiepie declares war on big tech following the release of his free and local AI workspace
California tech CEO busted for selling forbidden US technology to Iran’s nuclear agency
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked