Amid a growing concern about the security of third-party services and providers, GrubHub has disclosed a data breach that exposed the personal information of an undisclosed number of customers, merchants and drivers. To give you an idea of how many people could be impacted, the service has over 375,000 merchants and 200,000 delivery partners in more than 4,000 cities nationwide.
In an announcement made yesterday, the company shared that attackers had breached its systems using an account belonging to a third-party service provider that provides support services. While GrubHub immediately terminated the account’s access and removed the service provider from its systems, unfortunately, the damage had already been done.
An external forensic expert hired by GrubHub to assess the impact of the breach did not find evidence that sensitive personal or financial data such as customer passwords, merchant logins, full payment card numbers, bank account details, Social Security numbers or driver’s license numbers, were accessed.
Still, depending on the customer, driver or merchant it’s possible that the attacker may have gained access to names, email addresses, phone numbers or partial payment card information (including card type and the last four digits of the card number).
GrubHub has encouraged customers to always use unique passwords to minimize risk, though attackers did not access GrubHub Marketplace account passwords. “The unauthorized individual accessed contact information of campus diners, as well as diners, merchants and drivers who interacted with our customer care service. They also accessed hashed passwords for certain legacy systems, and we proactively rotated any passwords we believed may have been at risk,” said the company.
GrubHub has rotated passwords to prevent any additional unauthorized access to accounts, and added additional anomaly detection mechanisms across its internal services. There are no details about why these measures were not already implemented, however given the increasing frequency of third-party breaches such preventative measures should be taken ahead of any attacks.
We plan on staying on top of this story and will update it accordingly if and when we find out more.
More from Tom's Guide
