US-based food delivery platform Grubhub has confirmed a recent data breach, with the online hacking group that targeted Salesforce data, ShinyHunters, allegedly behind the attack.
The breach, which involved unauthorized data downloads from Grubhub’s systems, has now allegedly been followed by extortion demands similar to those rebuffed by Salesforce last year.
Grubhub’s Data Breach
According to Bleeping Computer, Grubhub has officially confirmed a recent data breach, but any information on when the breach occurred or whether customer data was involved has not been confirmed.
Grubhub claimed that it quickly investigated, stopped the activity, and followed up on relevant security measures, insisting that “sensitive information, such as financial information or order history, was not affected.”
Grubhub has also allegedly claimed that it is now facing extortion demands, with Bleeping Computer reporting that the food delivery company is allegedly working with a third-party cybersecurity firm and has notified law enforcement.
SF Ben has reached out to Grubhub for comment.
The Connection to Salesforce
At present, Grubhub has also not confirmed any further details on the nature of the hack or the individuals behind the extortion claims. However, Bleeping Computer has alleged that the prolific online hacking group ShinyHunters is the group extorting Grubhub.
ShinyHunters was one of the groups behind the extensive Salesforce data theft incidents last year, which involved voice phishing instances that led to people downloading an attacker-controlled replica of the Salesforce Data Loader app.
The scale of these attacks became so large that in September, the FBI issued a Salesforce instant data warning.
According to Bleeping Computer’s sources, the threat actors are demanding a Bitcoin ransom to prevent the public release of data from two separate breaches: older Salesforce data stolen in February 2025 and newer Zendesk data taken during the recent security incident.
Reportedly, the breach was successfully executed through secrets/credentials stolen in the Salesloft Drift data theft attacks, potentially marking Grubhub as one of the 760 impacted companies.
Cory Michal, CSO at SaaS security company AppOmni, says: “It’s not surprising we’re seeing the ‘long tail’ of a campaign where the actor’s initial breach activity yielded a large cache of OAuth integration tokens providing them pre-authenticated access into many SaaS tenants at scale.
“Once that kind of access is in hand, attackers don’t need to ‘re-break in’ everywhere; they can work through the inventory over time, selectively pivoting into high-value organizations, chaining access into supply-chain style compromises, and then monetizing in waves via data theft, extortion, and ransomware.”
Peter Chittum, Salesforce Ben’s Technical Director, shared that he feels like this is a “we told you so” moment.
“I think there’s going to continue to be a huge opportunity for security and governance-focused services this year,” he said. “Every company and government agency should be operating under the assumption and designing their system security and governance around the idea that it isn’t a matter of if, but rather when their critical systems will be compromised. Anecdotally, you’d have to assume that there are a lot of Salesforce orgs out there that were not implemented this way.”
“I wouldn’t be surprised if there wasn’t a very high-profile breach this year, too, where deep fakes combined with AI agents begin to do voice and video call phishing at scale.”
SF Ben has also reached out to Salesforce for comment.
Final Thoughts
Details of this hack have indicated that the impacts from the Salesforce data breaches are still being felt.
This highlights how key it is that companies learn from the mistakes and vulnerabilities observed by affected companies last year, as otherwise, this year will only be a continuation of 2025’s events.
The back door is evidently open for multiple companies, so there really is no better time to make sure that security processes are up to date, intensive, and measurable.
