Attackers claim they have their hands on a whopping 70 million lines of GrubHub’s data, including millions of hashed passwords, phone numbers, and email addresses. The company did report a data breach in early February.
Cybercrooks posted an ad for data on a data leak forum, claiming responsibility for the GrubHub data breach earlier this year. The online food delivery platform announced it indeed suffered a data breach via a third-party service provider in February.
While it’s unclear if the recent hacker announcement discusses the same breach, the timeline and exposed data types do match up. GrubHub’s February announcement indicated that hashed passwords, email addresses, and other data were stolen. However, GrubHub’s announcement did not specify the extent of the attack.
If the attackers’ claims hold any weight, it would mean the breach exposed tens of millions of the online food delivery platform’s users. Given a single password represents one account, the number of exposed accounts could be around 17 million.
We have reached out to Grubhub for comment and will update the story once we receive a reply.
What GrubHub data was leaked?
To prove their point, attackers shared a couple of thousands of supposedly stolen lines of data. According to the Cybernews research team, the sample includes:
- Names
- Email addresses
- Hashed passwords
The passwords are encoded using the SHA1 cryptographic hash, which is widely considered vulnerable. Our researchers believe that attackers could exploit the data set in so-called collision attacks – using two different passwords that create the same hash value – thus allowing cybercrooks to break into an account using a fake password.
“The purpose of selling this data ranges from using this massive collection of emails and phone numbers to launch phishing campaigns, scams, and identity theft to using weakly hashed passwords for credential stuffing attacks on other services,” Neringa Macijauskaitė, junior information security researcher at Cybernews, explained.
GrubHub’s third-party data breach
The popular food delivery platform suffered a data breach after attackers compromised the company’s third-party support service provider. After learning about the intrusion, the company locked out the perpetrators and deleted the third party’s account.
Initially, it was unclear if the attackers managed to exfiltrate the data. However, the recent claims indicate attackers may have succeeded in siphoning a substantial amount of customer data. The only silver lining is that attackers may have accessed less data than GrubHub expected.
The company initially said that “the contact information of campus diners, as well as diners, merchants, and drivers” who interacted with its customer care service was compromised in the breach. While the exposed data supposedly included partial payment data, attackers don’t advertise that in their announcement on the data leak forum.
Grubhub is a major player in the US food delivery industry. The company says it features 375,000 merchants in over 4,000 US cities. The company reported a revenue of nearly $2 billion in 2020, with nearly 3,000 employees.
Your email address will not be published. Required fields are markedmarked