Grubhub Confirms Data Breach as Hackers Demand Extortion Using Stolen SaaS Credentials

Food delivery giant Grubhub is investigating a data breach that has escalated into what sources describe as an extortion attempt, underscoring how stolen SaaS credentials can reverberate across companies months after an initial compromise.

The company confirmed that attackers accessed parts of its internal systems and downloaded data, but declined to specify when the intrusion occurred, whose information was involved, or whether ransom demands are underway. In a statement, Grubhub said it moved quickly to stop the activity, is working with a third-party cybersecurity firm, and has notified law enforcement. The company added that sensitive information such as financial details or order history was not affected.

Behind the limited public disclosure, multiple sources told BleepingComputer that the incident has taken on a familiar shape in modern cybercrime: data theft followed by extortion. Those sources link the activity to ShinyHunters, a prolific cybercrime group known for large-scale data breaches and monetization through public leaks. The threat actors declined to comment when contacted.

According to people familiar with the matter, the attackers are allegedly demanding payment in Bitcoin to prevent the release of data tied to two different systems. One tranche reportedly involves older Salesforce data connected to a breach earlier in 2025. The other is said to include more recent information pulled from Zendesk, the customer support platform Grubhub uses to handle order issues, account questions, and billing support.

Grubhub has not confirmed those details. It also has not said whether this breach is connected to a separate incident disclosed last month, when scam emails promoting a cryptocurrency scheme were sent from the company’s b.grubhub.com subdomain. At the time, Grubhub said it had contained that issue and taken steps to block further unauthorized messages, but offered few technical specifics.

What security researchers do see is a pattern that extends beyond a single company. Sources indicate the intrusion may trace back to credentials exposed during the Salesloft Drift data theft campaign, in which attackers abused OAuth tokens tied to Salesforce integrations. In that campaign, which unfolded over several weeks in August, stolen tokens were used to pull data directly from SaaS platforms without triggering interactive logins.

A report from Google’s Threat Intelligence Group detailed how attackers used the initial access to harvest additional secrets and pivot into follow-on compromises, including cloud access keys and other service credentials. ShinyHunters later claimed responsibility for that operation, boasting of data taken from hundreds of organizations.

Security leaders say this kind of delayed fallout is exactly what makes token-based attacks so dangerous. Cory Michal, CSO at SaaS security firm AppOmni, described the situation as a textbook example of long-tail exploitation.

“It’s not surprising we’re seeing the long tail of a campaign where the actor’s initial breach activity yielded a large cache of OAuth integration tokens providing them pre-authenticated access into many SaaS tenants at scale,” Michal said. “Once that kind of access is in hand, attackers don’t need to re-break in everywhere; they can work through the inventory over time, selectively pivoting into high-value organizations, chaining access into supply-chain style compromises, and then monetizing in waves via data theft, extortion, and ransomware.”

Michal warned that even organizations with strong multi-factor authentication can remain exposed if they treat integrations and non-human identities as an afterthought.

“Those tokens often operate as bearer credentials,” he said. “If an attacker obtains them, they can be used as a single-factor access method to act as the integration without triggering an interactive login or MFA challenge, and the activity can blend into normal API patterns.”

For companies like Grubhub, the incident highlights a broader reckoning facing enterprises that rely heavily on SaaS ecosystems. As attackers increasingly weaponize previously stolen integration tokens, defenders are being forced to inventory and audit their app connections, reduce overly broad permissions, and demand stronger security guarantees from vendors.

Whether the Grubhub breach ultimately results in leaked data or a quiet settlement remains unclear. What is clear is that the aftershocks of token theft campaigns can continue to surface long after the original breach fades from headlines, turning forgotten credentials into a persistent and costly risk.