Grubhub confirms it’s been hacked after unauthorized actors gain access to internal systems. The attackers reportedly gained access through credentials stolen during the Salesloft breach last August. Salesloft, a sales engagement platform, suffered a compromise that exposed OAuth tokens for multiple integrated services. Those tokens provided persistent access that attackers exploited months later.
-
Grubhub confirmed hackers accessed internal systems but says customer financial data and order history were not affected.
-
Sources claim ShinyHunters is attempting to extort the company by threatening to leak Salesforce and Zendesk data.
-
Security experts warn stolen OAuth tokens can allow attackers to quietly breach companies months after the original hack.
Grubhub said that the attackers “recently downloaded data from certain Grubhub systems,” but claimed that financial information and customer order history were not affected.
The company also stated it moved quickly to contain the activity and is now working with a third-party cybersecurity firm while coordinating with law enforcement.
Beyond that confirmation, the company declined to answer follow-up questions regarding when the breach occurred, whether customer records were exposed, or whether any ransom demands were made.
According to the report, the extortionists are demanding payment in Bitcoin to prevent the release of older Salesforce data tied to a February 2025 breach, along with newer records allegedly taken from Grubhub’s Zendesk customer support platform.
Organizations that integrated with Salesloft or Drift should assume their connected accounts were exposed. The window between the August breach and current exploitation gave attackers months to map access, identify valuable targets, and plan their approach.
