Skip to content

Third-party contractor breach hits GrubHub users

  • by
  • 2 min read

GrubHub, one of the leading food delivery platforms in the United States, has disclosed a security breach linked to a third-party contractor, resulting in unauthorised access to user contact information. The breach resulted in unauthorised access to the contact information of various users, including campus diners, merchants, and drivers who had engaged with GrubHub’s customer support.

The compromised data included names, email addresses, phone numbers, partial payment card details (card type and last four digits) for some campus diners, and hashed passwords for specific legacy systems.

According to the company, the breach was discovered when unusual activity within its system was detected. A subsequent investigation traced the activity to a third-party service provider affiliated with GrubHub’s Support Team. The affected account was immediately terminated, and the service provider was completely removed from GrubHub’s systems to prevent further exposure.

“Our investigation found that the intrusion originated with an account belonging to a third-party service provider that provided support services to Grubhub,” the company wrote.

The third party in question did not have access to merchant login information, full payment card numbers, bank account details, and social security or driver’s license numbers.

Also, GrubHub emphasised that Marketplace account passwords remained secure and unaffected. However, as a precautionary measure, the company rotated passwords with at-risk legacy systems.

“The unauthorised party also accessed hashed passwords for certain legacy systems, and we proactively rotated any passwords that we believed might have been at risk. While the threat actor did not access any passwords associated with Grubhub Marketplace accounts, as always, we encourage customers to use unique passwords to minimise risk,” GrubHub reports.

After the attack, GrubHub took immediate corrective action and engaged with forensic experts, rotated all relevant passwords, and deployed additional anomaly detection mechanisms.

Vulnerabilities in third-party service providers could often lead to such attacks. Last year, reports emerged that macOS Gatekeeper security is at risk due to third-party utilities.

In the News: Sensitive data of 2.88 million Physics Wallah users leaked on dark web

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>