The popular food delivery platform Grubhub has disclosed a significant data breach involving unauthorized access to customer, merchant, and driver information.
The breach, which was caused by a compromised third-party contractor account, raised concerns about data security and third-party risk management practices.
Grubhub detected “unusual activity” within its systems, which was traced to an account belonging to a third-party service provider contracted for customer support. 
Upon discovery, Grubhub immediately terminated the provider’s access and removed them from its systems. Forensic experts were engaged to investigate the breach and assess its scope.
The breach highlights the risks associated with supply chain attacks, where cybercriminals exploit vulnerabilities in external vendors or service providers.
Such incidents are increasingly common as attackers target interconnected systems to bypass direct security measures.
What Data Was Exposed?
The breach impacted various user groups, including campus diners, general customers, merchants, and drivers who interacted with Grubhub’s customer care services. The exposed data includes:
- Names
- Email addresses
- Phone numbers
- Partial payment card details (card type and last four digits) for some campus diners
- Hashed passwords from certain legacy systems
Grubhub clarified that sensitive data such as full payment card numbers, Social Security numbers, bank account details, and Grubhub Marketplace account passwords were not accessed.
However, the exposure of hashed passwords underscores the importance of using strong encryption algorithms and regularly updating password security protocols.
The root cause of the breach was a compromised account from a third-party service provider. Cybersecurity experts often warn about the dangers of stolen or weak credentials being used as an attack vector.
According to IBM’s Cost of a Data Breach report, stolen credentials account for 16% of all breaches.
In this case, it is unclear whether the credentials were obtained through phishing, brute force attacks, or another method. Grubhub acted swiftly to contain the breach and strengthen its cybersecurity defenses.
The compromised third-party account was promptly terminated, all possibly affected passwords were rotated as a precaution, new anomaly detection techniques were implemented across internal systems, and external cybersecurity specialists were hired to undertake an extensive investigation.
This incident underscores the critical need for robust third-party risk management practices. Companies must ensure that vendors adhere to stringent cybersecurity standards and conduct regular audits of their access privileges.
Additionally, implementing multi-factor authentication (MFA) can significantly reduce the risk of unauthorized access through compromised credentials.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

