Meals supply firm GrubHub disclosed a knowledge breach impacting the private data of an undisclosed variety of clients, retailers, and drivers after attackers breached its programs utilizing a service supplier account.
“Our investigation discovered that the intrusion originated with an account belonging to a third-party service supplier that supplied assist companies to Grubhub,” the corporate stated on Monday.
“We instantly terminated the account’s entry and eliminated the service supplier from our programs altogether.”
In response to this incident, the corporate employed exterior forensic consultants to evaluate the breach’s impression, rotated passwords to forestall additional unauthorized entry, and added further anomaly detection mechanisms throughout its inside companies.
The follow-up investigation discovered no proof that the attackers accessed different delicate private and monetary data, together with Grubhub Market buyer passwords, service provider login data, full fee card numbers, checking account particulars, Social Safety numbers, or driver’s license numbers.
Nevertheless, GrubHub stated that, relying on the affected person, the attackers gained entry to names, electronic mail addresses, and cellphone numbers, in addition to partial fee card data (together with card sort and final 4 digits of the cardboard quantity) for some campus diners.
“The unauthorized particular person accessed contact data of campus diners, in addition to diners, retailers and drivers who interacted with our buyer care service,” GrubHub stated.
“The unauthorized social gathering additionally accessed hashed passwords for sure legacy programs, and we proactively rotated any passwords that we believed may need been in danger.
Whereas the attackers did not entry Grubhub Market account passwords, the corporate urged clients to all the time use distinctive passwords to reduce dangers.
A Grubhub spokesperson was not instantly out there for remark when contacted by BleepingComputer earlier right now.
Grubhub is a food-ordering and supply platform with over 375,000 retailers and 200,000 supply companions in additional than 4,000 cities nationwide.
In December, it agreed to pay $25 million to settle FTC expenses and cease partaking in illegal practices, together with not telling customers the complete supply value, deceiving drivers about how a lot cash they’d earn, and itemizing eating places on its platform with out their consent.
