Grub Hub data breach exposed contact and payment information of diners, merchants and drivers — here’s what we know

News
By
published

A third-party service provider was attacked which led to the breach

Amazon GrubHub delivery
(Image credit: Amazon)

Amid a growing concern about the security of third-party services and providers, GrubHub has disclosed a data breach that exposed the personal information of an undisclosed number of customers, merchants and drivers. To give you an idea of how many people could be impacted, the service has over 375,000 merchants and 200,000 delivery partners in more than 4,000 cities nationwide.

In an announcement made yesterday, the company shared that attackers had breached its systems using an account belonging to a third-party service provider that provides support services. While GrubHub immediately terminated the account’s access and removed the service provider from its systems, unfortunately, the damage had already been done.

An external forensic expert hired by GrubHub to assess the impact of the breach did not find evidence that sensitive personal or financial data such as customer passwords, merchant logins, full payment card numbers, bank account details, Social Security numbers or driver’s license numbers, were accessed.

Still, depending on the customer, driver or merchant it’s possible that the attacker may have gained access to names, email addresses, phone numbers or partial payment card information (including card type and the last four digits of the card number).

GrubHub has encouraged customers to always use unique passwords to minimize risk, though attackers did not access GrubHub Marketplace account passwords. “The unauthorized individual accessed contact information of campus diners, as well as diners, merchants and drivers who interacted with our customer care service. They also accessed hashed passwords for certain legacy systems, and we proactively rotated any passwords we believed may have been at risk,” said the company.

GrubHub has rotated passwords to prevent any additional unauthorized access to accounts, and added additional anomaly detection mechanisms across its internal services. There are no details about why these measures were not already implemented, however given the increasing frequency of third-party breaches such preventative measures should be taken ahead of any attacks.

We plan on staying on top of this story and will update it accordingly if and when we find out more.

More from Tom's Guide

See more Computing News
Amber Bouman
Amber Bouman
Senior Editor Security

Amber Bouman is the senior security editor at Tom's Guide where she writes about antivirus software, home security, identity theft and more. She has long had an interest in personal security, both online and off, and also has an appreciation for martial arts and edged weapons. With over two decades of experience working in tech journalism, Amber has written for a number of publications including PC World, Maximum PC, Tech Hive, and Engadget covering everything from smartphones to smart breast pumps. 

Read more
A picture showing different credit cards stacked on top of each other on a table
5 million Americans just had their credit card details leaked online — what to do now
Image of man on computer with data security ecosystem
Over 900,000 Americans just had their personal and health info exposed in medical data breach — names, phone numbers, treatments and SSNs
Discord on a phone and a laptop
Almost 1 million Discord users just had their account details exposed in new RestoreCord data breach — what to do now
An open lock depicting a data breach
More than 3.3 million people hit by employee screening data hack — what you need to know
Globe Life insurance company logo on a cell phone in front of a monitor display the About page for the company. Shadowy hand holds the phone.
850,000 people exposed in massive insurance data breach — full names, dates of birth and SSNs
A hacker typing quickly on a keyboard
Half a million medical patients just had their addresses, dates of birth, SSNs and more stolen by hackers — how to stay safe
Latest in Online Security
and image of the Google Chrome logo on a laptop
Google Chrome at risk from shape-shifting browser extensions — how to stay safe
Green skull on smartphone screen.
Over 1 million Android devices infected with password-stealing, pre-installed botnet malware — how to stay safe
Android 12
Google March Android Security Update fixes two high severity vulnerabilities — update now
An Android bot next to an Android TV remote
Millions of Android TVs hijacked in massive botnet — how to see if yours is at risk
Poster of Elon Musk saying "I am stealing from you"
Elon Musk's DOGE blocked from accessing your data – and 3 in 4 Americans agree
A fake text message on a smartphone being held by both hands.
Toll road scams are worse than ever — what to look for and how to stay safe
Latest in News
Apple Intelligence logo on iPhone
Apple confirms Siri 2.0 is delayed — 'it’s going to take us longer than we thought'
NYTimes Connections
NYT Connections today hints and answers — Saturday, March 8 (#636)
Switch 2 and Mario
Nintendo Switch 2 FCC filing just revealed Wi-Fi 6 and NFC — but that's not all
iPhone 17 Pro render
iPhone 17 Pro Max and iPhone 17 Air designs just teased in new video — here's your first look
Honor Magic V teaser image
Watch out, Galaxy Z Fold 7 — Honor Magic V4 leak just revealed a killer foldable
Rachel Weisz as Marlee in "Runaway Jury"
Netflix top 10 movies — here’s the 3 worth watching right now
More about online security
MyFICO app shown on a smartphone screen held in hand - MyFICO Premier review

MyFICO identity theft protection review
and image of the Google Chrome logo on a laptop

Google Chrome at risk from shape-shifting browser extensions — how to stay safe
a photo of a woman with strong arms

Swerve the gym — this 20-minute dumbbell workout can be done from home and will build a stronger upper body

See more latest