Grubhub serves up security incident with a side of needing to change your password

US food and grocery delivery platform Grubhub says a security incident at a third-party service provider is to blame after user data was compromised.

It didn't specify the window in which the "unauthorized individual" got hold of the user data, but described it as "recently" and said it immediately revoked the third-party service provider account's access.

"We recently identified a security incident involving a third-party contractor, resulting in unauthorized access to certain user contact information," the company said in a statement.

"We took immediate action to contain the situation and have worked with leading forensic experts to investigate the matter. We are confident that the incident has been fully contained."

Grubhub, which offers a Campus Dining service that's available exclusively to students at more than 360 universities, said the contact data related to these users was among the types accessed.

Other users, merchants, and Grubhub drivers' personal data were also compromised, although the disclosure didn't specify how many were affected.

The type of data accessed varied among victims, but the following in some cases was affected:

• Names

• Email addresses

• Phone numbers

• Partial payment details (card type and last four digits of the card number)

• Hashed passwords for "certain legacy systems"

Grubhub said it doesn't think any normal user credentials are at risk, but advised customers to rotate their passwords anyway.

For the hashed internal passwords, Grubhub said these were also already rotated to prevent any potential wider access, as part of the usual incident response process.

The information involved may seem basic, but contact details and some semi-sensitive data such as partial card information could be enough to trick people into falling for phishing emails. From there, attackers can launch more lucrative scams.

• 2 officers bailed as anti-corruption unit probes data payouts to N Irish cops
• Medical monitoring machines spotted stealing patient data, users warned to pull the plug ASAP
• Baguette bandits strike again with ransomware and a side of mockery
• PowerSchool theft latest: Decades of Canadian student records, data from 40-plus US states feared stolen

Details such as SSNs, driver's license numbers, bank account details, merchant login credentials, and Grubhub Marketplace customer passwords are all considered safe.

Grubhub didn't identify the compromised third party responsible for the data snafu, other than saying it was a service provider for the company's support team.

"We remain dedicated to protecting the trust placed in us by our customers, merchants, and drivers," the statement added. "We have taken decisive steps to further secure our systems and are actively strengthening our security controls to prevent similar incidents in the future."

Those steps include strengthened credential security and deploying additional anomaly detection mechanisms across the network, it said.

According to the Food Delivery App Report and company data gathered by Business of Apps, Grubhub had 24.6 million active customers in 2023 – the most recent available data – each ordering from the platform at least once per month. More than 375,000 merchants are also registered on the app, serving Americans across more than 4,000 cities.

Launched in 2004, Grubhub was acquired by Wonder Group in November 2024 for $650 million after previously being bought for $7.3 billion by Netherlands-based Just Eat Takeaway back in 2021. ®