Attack exposes personal details of customers, drivers and merchants.
In February 2025, Grubhub suffered a data breach caused by a compromised third-party service provider account. The attack exposed the personal details of customers, drivers, and merchants, including:
Names, emails, phone numbers.
Partial payment card details (last four digits).
Hashed passwords from legacy systems.
The root cause was an attacker gaining unauthorized access through an external vendor, highlighting third-party security risks.
Third-Party Vendor Compromise:
Attackers infiltrated Grubhub’s network by compromising a vendor with privileged access.
Lack of strict vendor access controls allowed unauthorized entry.
Inadequate Anomaly Detection:
The breach was not immediately detected, highlighting weaknesses in monitoring and response mechanisms.
No real-time alerting on suspicious vendor activity.
Stronger Third-Party Security Controls: Implement least privilege access for vendors and continuous monitoring of third-party integrations. Conduct frequent security assessments of all external partners.
Advanced Threat Detection and Behavioral Monitoring: Deploy anomaly detection tools to flag unusual vendor activity. Use real-time alerts to detect unauthorized access and credential misuse.
