Summary
- Grubhub confirmed a data breach via a third-party vendor, impacting users, merchants, and drivers who contacted customer support. Exposed data includes names, emails, phone numbers, and some partial payment card details.
- Sensitive data like bank accounts and SSNs weren’t accessed, but the breach timeline and number of affected users are still unknown.
- Grubhub users should change passwords and watch for phishing emails.
The online food delivery market is a big one. As of 2023, DoorDash dominated the market in the US with over 67 percent of the market share, with Uber Eats coming in at second with a 25 percent market share, and GrubHub taking third spot.
Grubhub wasn’t the first online food delivery service in the US, but it sure did pioneer the industry. Operating in over 4,000 cities, the platform boasted over 24.6 million active customers in 2023, many of whom might now be affected by a recently disclosed data breach.
Related
Take back control: A quick guide to data breach prevention
It’s always a good idea to be aware of the latest data breaches
As highlighted by the platform in a news release today (via TechCrunch), it recently identified that unnamed hackers were able to access personal data belonging to Grubhub users, merchants, and delivery drivers stemming from a compromised third-party contractor.
The third-party contractor, according to Grubhub, provided service to the platform’s support team — hence, only users, merchants, and delivery drivers that interacted with Grubhub’s customer care seem to be impacted.
The company announced that it “immediately terminated the [compromised] account’s access” and removed the account from its system to prevent more data leaks. Additionally, it is now working with forensic experts to investigate the breach and trace its source.
Varying by individuals, here’s what the hacker(s) got away with:
- Names
- Email addresses
- Phone numbers
- Partial payment card information for Campus Diners (card type and last four digits of the card number)
Hashed passwords for some legacy systems were also accessed, but the hackers were unable to get their hands on bank account details, Social Security or driver’s license numbers, full payment card numbers, merchant login information, and Grubhub Marketplace customer passwords.
The company is yet to disclose when the breach took place, and the scope of the incident, particularly the number of users impacted, remains unclear.
As a Grubhub user, you should change your account password to ensure continued safety, alongside being wary of potentially upcoming phishing emails.
