Home
Date of Incident:
2025
Overview:
In the Grubhub Data Breach of 2025, hackers from the ShinyHunters group accessed Grubhub’s systems, targeting older Salesforce and newer Zendesk data. The breach, discovered and reported in early 2026, left financial information and order history untouched. Attackers utilized MITRE ATT&CK techniques T1078 (Valid Accounts) and T1566 (Phishing) to infiltrate the systems, exploiting outdated Salesforce API endpoints and Zendesk vulnerabilities. Grubhub collaborates with a third-party cybersecurity firm and law enforcement to address the incident.
>>Outpace Attackers With AI-Based Automated Penetration Testing
Impact:
Hackers accessed Grubhub systems and stole data including older Salesforce data and newer Zendesk data. The company is facing extortion demands from the ShinyHunters cybercrime group. Financial information or order history was not affected. Grubhub works with a third-party cybersecurity firm and law enforcement.
Details:
The Grubhub Data Breach 2025 involves unauthorized access mapped to MITRE ATT&CK techniques T1078 (Valid Accounts) and T1566 (Phishing) used by the ShinyHunters group to infiltrate systems. PoC behavior included exploitation of old Salesforce API endpoints and newer Zendesk system vulnerabilities to extract user data. IOCs include command and control domains associated with ShinyHunters, hashes of stolen data packages, and registry edits suggesting lateral movement. Log artifacts featured unusual API calls, failed login spikes, and elevated access error traces correlated with the time of breach.
Remediation:
Grubhub worked with a third-party cybersecurity firm and law enforcement. Vendor guidance includes patching Salesforce and Zendesk systems to latest versions with hardened API access controls. Temporary mitigations involved resetting internal access credentials and implementing enhanced multi-factor authentication. Known workarounds advised network segmentation and real-time anomaly detection deployment.
Takeaway for CISO:
This breach underscores the risks of legacy and integrated third-party systems. For CISOs, prioritizing comprehensive access control reviews and real-time threat monitoring across all platforms is critical to prevent similar incursions and to mitigate extortion risks.
