TL;DR: On January 19, 2026, Grubhub confirmed hackers stole company data. The attackers (linked to ShinyHunters) are now demanding Bitcoin to not leak it. The breach connects to a larger Salesloft/Drift attack from August 2025 that compromised OAuth tokens for 760+ companies. Your Zendesk support chats and older Salesforce records may be in the stolen dataset. Grubhub says "sensitive information like financial information or order history" wasn't affected. That leaves a lot of other data unaccounted for.

What We Know

Grubhub dropped a vague statement on January 19: "We're aware of unauthorized individuals who recently downloaded data from certain Grubhub systems."

They "quickly investigated, stopped the activity, and are taking steps to further increase our security posture." Corporate crisis comms 101.

What they won't say:

  • When exactly the breach happened
  • How many customers are affected
  • What data was actually stolen
  • Whether they're negotiating with the attackers

Sources familiar with the incident told BleepingComputer that Grubhub is facing active extortion demands. The threat actors want Bitcoin to prevent release of the stolen data.

ShinyHunters: The Usual Suspects

Multiple sources point to ShinyHunters, a cybercrime group that's been running a devastating Salesforce supply chain campaign since late 2025.

Their playbook:

  1. In August 2025, they stole OAuth tokens from Salesloft's Drift integration
  2. Those tokens gave them pre-authenticated access to Salesforce instances at 760+ companies
  3. They quietly exfiltrated data from high-value targets for months
  4. Now they're showing up with ransom demands

The FBI issued a warning about ShinyHunters' Salesforce campaign in September 2025. Grubhub is now on the victim list alongside Dynatrace, Cloudflare, Palo Alto Networks, and at least 28 other confirmed breaches.

What Did They Take?

Grubhub's statement carefully says "financial information or order history" wasn't affected. Read that carefully. It doesn't say nothing was taken.

Sources indicate two datasets are at risk:

Salesforce Data (Feb 2025)

Customer records from an earlier breach. CRM data: names, emails, phone numbers, support histories.

Zendesk Data (Recent)

Support chat logs. Everything you typed to customer service: complaints, addresses, account issues, billing disputes.

Zendesk powers Grubhub's online support. Every time you chatted about a missing order or complained about a cold burger, that transcript got stored. Now someone else has it.

The Bigger Problem: SaaS Supply Chain

This isn't just a Grubhub problem. It's a systemic failure in how companies trust third-party SaaS tools.

Here's the chain of failure:

  • Salesloft got compromised
  • Their Drift integration used OAuth tokens
  • Those tokens authenticated to customer Salesforce instances
  • Attackers used that access to pivot into Zendesk and other connected services

One breach became 760+ breaches. Security analysts warn that compromised OAuth tokens can enable attacks months after the original intrusion. Companies don't know they're exposed until the ransom note arrives.

If You Use Grubhub

Change Your Password

Do it now. Use a unique password. Enable 2FA if available.

Check Connected Accounts

Grubhub links to payment methods, email, phone. Review what's connected.

Watch for Phishing

Attackers with your data can craft convincing scam emails. Be skeptical of "Grubhub" messages.

Monitor Your Accounts

Check bank statements. Set up transaction alerts. The stolen data could enable identity fraud.

The Bottom Line

Grubhub got caught in a supply chain attack that's already hit dozens of major companies. The attackers have data. They want money. Grubhub isn't saying much.

This is what happens when companies connect everything to everything else through third-party services. One weak link (Salesloft's OAuth tokens) rippled through the entire ecosystem. Now ShinyHunters is cashing out.

Your food delivery app knows where you live, what you eat, your phone number, your email, your payment methods. That's the data on the table. Act accordingly.

References

  1. BleepingComputer - Grubhub confirms hackers stole data in recent security breach (January 2026)
  2. Salesforce Ben - Grubhub Confirmed as Latest Victim of Salesforce Data Breaches (January 2026)
  3. Yahoo News - Grubhub Confirms Data Breach, Hackers Reportedly Demand Ransom (January 2026)