Grubhub security breach compromises customer and driver data

Food delivery company Grubhub has confirmed that it suffered a security breach, with user, driver, and merchant data compromised, including hashed passwords and partial credit card details.

Grubhub says that it noticed “unusual activity” that it traced back to an account used by a third-party service provider for its customer support team. The account’s access was terminated, and the service provider removed from Grubhub’s systems.

Before the breach was detected, data was accessed relating to customers, drivers, and merchants who had used Grubhub’s customer service system, along with student users of its campus dining service. Names, email addresses, and phone numbers were accessed, along with partial credit card details including the card type and last four digits, and hashed passwords for “certain legacy systems.”

Grubhub hasn’t disclosed when the breach happened or how many accounts were accessed, but it says it has proactively rotated any passwords it believes were affected. The company says that bank account information and full payment card details weren’t accessed.

Grubhub is still finalizing a sale from Just Eat to food hall startup Wonder for $650 million. The deal was announced in November 2024, and is expected to close in the first quarter of 2025.