GrubHub data breach impacts customers, drivers, and merchants

​Food delivery company GrubHub disclosed a data breach impacting the personal information of an undisclosed number of customers, merchants, and drivers after attackers breached its systems using a service provider account.

“Our investigation found that the intrusion originated with an account belonging to a third-party service provider that provided support services to Grubhub,” the company said on Monday.

“We immediately terminated the account’s access and removed the service provider from our systems altogether.”

In response to this incident, the company hired external forensic experts to assess the breach’s impact, rotated passwords to prevent further unauthorized access, and added additional anomaly detection mechanisms across its internal services.

The follow-up investigation found no evidence that the attackers accessed other sensitive personal and financial information, including Grubhub Marketplace customer passwords, merchant login information, full payment card numbers, bank account details, Social Security numbers, or driver’s license numbers.

However, GrubHub said that, depending on the affected individual, the attackers gained access to names, email addresses, and phone numbers, as well as partial payment card information (including card type and last four digits of the card number) for some campus diners.

“The unauthorized individual accessed contact information of campus diners, as well as diners, merchants and drivers who interacted with our customer care service,” GrubHub said.

“The unauthorized party also accessed hashed passwords for certain legacy systems, and we proactively rotated any passwords that we believed might have been at risk.

While the attackers didn’t access Grubhub Marketplace account passwords, the company urged customers to always use unique passwords to minimize risks.

A Grubhub spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.

Grubhub is a food-ordering and delivery platform with over 375,000 merchants and 200,000 delivery partners in more than 4,000 cities nationwide.

In December, it agreed to pay $25 million to settle FTC charges and stop engaging in unlawful practices, including not telling consumers the full delivery cost, deceiving drivers about how much money they’d earn, and listing restaurants on its platform without their consent.