Grubhub Confirms Security Breach, User and Merchant Data Compromised
Food delivery company Grubhub has confirmed that it suffered a security breach, with user, driver, and merchant data compromised, including hashed passwords and partial credit card details.
How the Breach Occurred
Grubhub says that it noticed “unusual activity” that it traced back to an account used by a third-party service provider for its customer support team. The account’s access was terminated, and the service provider removed from Grubhub’s systems.
Data Compromised
Before the breach was detected, data was accessed relating to customers, drivers, and merchants who had used Grubhub’s customer service system, along with student users of its campus dining service. Names, email addresses, and phone numbers were accessed, along with partial credit card details including the card type and last four digits, and hashed passwords for “certain legacy systems.”
What Wasn’t Compromised
Grubhub hasn’t disclosed when the breach happened or how many accounts were accessed, but it says it has proactively rotated any passwords it believes were affected. The company says that bank account information and full payment card details weren’t accessed.
Current Status
Grubhub is still finalizing a sale from Just Eat to food hall startup Wonder for $650 million. The deal was announced in November 2024, and is expected to close in the first quarter of 2025.
Conclusion
Grubhub has taken steps to address the security breach, including terminating the account of the third-party service provider and rotating passwords. While the breach is concerning, it’s reassuring that bank account information and full payment card details weren’t accessed. Users and merchants affected by the breach should be vigilant and monitor their accounts for any suspicious activity.
FAQs
Q: What data was compromised in the breach?
A: Names, email addresses, and phone numbers were accessed, along with partial credit card details including the card type and last four digits, and hashed passwords for “certain legacy systems.”
Q: Were bank account information and full payment card details compromised?
A: No, bank account information and full payment card details were not accessed.
Q: How many accounts were affected?
A: Grubhub hasn’t disclosed the exact number of accounts affected by the breach.
Q: What steps is Grubhub taking to address the breach?
A: Grubhub has terminated the account of the third-party service provider and rotated any passwords it believes were affected.
Q: Is the sale of Grubhub to Wonder still proceeding?
A: Yes, the sale is still finalizing and is expected to close in the first quarter of 2025.
