Meals supply firm GrubHub disclosed an information breach impacting the non-public info of an undisclosed variety of prospects, retailers, and drivers after attackers breached its programs utilizing a service supplier account.
“Our investigation discovered that the intrusion originated with an account belonging to a third-party service supplier that supplied help providers to Grubhub,” the corporate mentioned on Monday.
“We instantly terminated the account’s entry and eliminated the service supplier from our programs altogether.”
In response to this incident, the corporate employed exterior forensic consultants to evaluate the breach’s impression, rotated passwords to forestall additional unauthorized entry, and added extra anomaly detection mechanisms throughout its inner providers.
The follow-up investigation discovered no proof that the attackers accessed different delicate private and monetary info, together with Grubhub Market buyer passwords, service provider login info, full cost card numbers, checking account particulars, Social Safety numbers, or driver’s license numbers.
Nevertheless, GrubHub mentioned that, relying on the affected person, the attackers gained entry to names, e mail addresses, and telephone numbers, in addition to partial cost card info (together with card sort and final 4 digits of the cardboard quantity) for some campus diners.
“The unauthorized particular person accessed contact info of campus diners, in addition to diners, retailers and drivers who interacted with our buyer care service,” GrubHub mentioned.
“The unauthorized celebration additionally accessed hashed passwords for sure legacy programs, and we proactively rotated any passwords that we believed might need been in danger.
Whereas the attackers did not entry Grubhub Market account passwords, the corporate urged prospects to at all times use distinctive passwords to reduce dangers.
A Grubhub spokesperson was not instantly accessible for remark when contacted by BleepingComputer earlier at present.
Grubhub is a food-ordering and supply platform with over 375,000 retailers and 200,000 supply companions in additional than 4,000 cities nationwide.
In December, it agreed to pay $25 million to settle FTC fees and cease partaking in illegal practices, together with not telling shoppers the total supply value, deceiving drivers about how a lot cash they’d earn, and itemizing eating places on its platform with out their consent.