TL;DR: ShinyHunters breached Woflow, an AI-powered merchant data platform used by DoorDash, Walmart, Uber, and Deliveroo. The attackers dumped 326GB of compressed data after Woflow refused to pay ransom. That's "several hundreds of millions of records" containing names, emails, merchant details, and transaction data. A class action lawsuit accuses Woflow of failing to notify victims or offer credit monitoring. If you've ever ordered through these platforms, your data may have traveled through Woflow's systems. And now it's on the dark web.
What Happened
On March 3, 2026, ShinyHunters (tracked by security researchers as UNC6040) compromised Woflow's core infrastructure. The threat actors posted the company on their dark web blog with a deadline: pay up by March 6, or the data goes public.
Woflow didn't pay.
On March 6, ShinyHunters released a 326GB compressed archive. When extracted, that expands to significantly larger volumes of raw data. They bragged about exfiltrating "several hundreds of millions of records containing PII, transaction/order data, other internal corporate data, and a lot more."
As of March 14, Woflow still hadn't issued a public response. No breach notifications. No credit monitoring offers. Radio silence.
What Is Woflow?
Woflow is an AI-powered platform that automates the digitization and structuring of merchant data. Think: restaurant menus, store inventories, business information. When you browse DoorDash and see a restaurant's menu, Woflow may have processed that data.
Their client list includes:
- DoorDash: Food delivery
- Walmart: Retail giant
- Uber: Rides and delivery
- Deliveroo: UK/Europe food delivery
The problem: when these platforms use Woflow, merchant and transaction data flows through Woflow's systems. ShinyHunters didn't need to hack each company individually. They hit the middleman.
What Data Got Stolen?
According to the threat actors and security researchers, the breach includes:
Personal Information
Names, email addresses, phone numbers. Merchant onboarding details containing SSNs, driver's licenses, and financial account info.
Transaction Data
Order histories, payment processing details, merchant analytics. Everything flowing through the pipeline.
Corporate Data
Internal Woflow systems, source code, API documentation. The keys to their infrastructure.
OAuth Tokens
Security analysts warn: if ShinyHunters grabbed OAuth tokens, they may retain "quiet" access to client environments even after Woflow patches.
The Lawsuit
Victims didn't wait for Woflow to act. A 46-page class action lawsuit accuses the company of:
- Failing to implement "adequate and reasonable cybersecurity procedures"
- Employing "inadequately trained employees who opened files containing the ransomware virus"
- Exposing consumers to "increased risk of fraud and identity theft"
- Failing to send required data breach notifications
- Not offering credit monitoring or remedial services
The lawsuit points out that Woflow knew they held sensitive data but didn't protect it. Now thousands of people are at risk, and the company still hasn't officially acknowledged the breach.
The Supply Chain Problem
This isn't just about Woflow. It's about how modern tech stacks work.
ShinyHunters has perfected a strategy: instead of attacking individual companies, they target upstream vendors with deep OAuth and API connections. Breach one SaaS platform, access dozens of enterprise clients.
This is the same playbook they used in the Salesforce supply chain attacks that hit 760+ companies. Security analysts now track their tactics:
- Identify integration-heavy SaaS vendors
- Compromise OAuth tokens and API credentials
- Pivot into connected enterprise environments
- Exfiltrate data in waves
- Extort victims with ransom deadlines
Woflow fits the profile perfectly: an AI platform that connects to multiple enterprise clients through OAuth integrations. One breach, many victims. The same dynamic let attackers breach Vercel through an AI tool.
What You Should Do
If you've used DoorDash, Uber, Walmart delivery, or Deliveroo, assume your merchant interaction data may be compromised. Here's how to protect yourself:
Check Your Accounts
Review linked payment methods on all food delivery apps. Remove unused cards. Enable transaction alerts.
Watch for Phishing
Attackers with your data can craft convincing "DoorDash" or "Uber" emails. Verify before clicking.
Monitor Credit
If you're a merchant whose data flowed through Woflow, consider a credit freeze. SSNs and financial data may be exposed.
Use Unique Passwords
If your email was in the breach, attackers will try password reuse attacks on other services. Use a password manager.
The Pattern
This is ShinyHunters' 2026 in a nutshell:
- January: Grubhub breach via Salesforce supply chain
- February: Crunchbase breach: 2 million records
- February: Bumble/Match Group breach: dating app data
- March: TELUS Digital breach: 1 petabyte including FBI background checks
- March: Crunchyroll breach: 6.8 million users
- March: Woflow breach: hundreds of millions of records
Security firms tracking ShinyHunters (also known as UNC6040) say they're running the "exact extortion cadence seen in the 2025 Salesforce CRM heist." Claim the breach. Set a deadline. Leak in waves. Move to the next target.
The group shows no signs of slowing down. And companies like Woflow, sitting in the middle of data flows between major platforms, make perfect targets.
The Bottom Line
Woflow was a chokepoint. Data from DoorDash, Walmart, Uber, and Deliveroo flowed through its systems. ShinyHunters found it, breached it, and dumped 326GB when the ransom wasn't paid.
The company hasn't acknowledged the breach publicly. No notifications have gone out. No credit monitoring has been offered. Meanwhile, a class action lawsuit is building, and hundreds of millions of records sit on the dark web.
This is what supply chain attacks look like in 2026. You don't even know which companies are holding your data, until they lose it.
References
- Security Boulevard - ShinyHunters Claims Woflow Breach: What It Means for SaaS Supply Chain Security (March 2026)
- ClassAction.org - Woflow Hit With Class Action Over March 2026 Data Breach (March 2026)
- BrinzTech - 326 GB Database of Woflow Allegedly Leaked by ShinyHunters (March 2026)
- AppOmni - ShinyHunters Claims Woflow Breach: SaaS Supply Chain Security Risks (March 2026)