Meals supply firm GrubHub disclosed a knowledge breach impacting the private data of an undisclosed variety of clients, retailers, and drivers after attackers breached its techniques utilizing a service supplier account.
“Our investigation discovered that the intrusion originated with an account belonging to a third-party service supplier that supplied help providers to Grubhub,” the corporate stated on Monday.
“We instantly terminated the account’s entry and eliminated the service supplier from our techniques altogether.”
In response to this incident, the corporate employed exterior forensic specialists to evaluate the breach’s influence, rotated passwords to forestall additional unauthorized entry, and added further anomaly detection mechanisms throughout its inside providers.
The follow-up investigation discovered no proof that the attackers accessed different delicate private and monetary data, together with Grubhub Market buyer passwords, service provider login data, full fee card numbers, checking account particulars, Social Safety numbers, or driver’s license numbers.
Nonetheless, GrubHub stated that, relying on the affected person, the attackers gained entry to names, e-mail addresses, and telephone numbers, in addition to partial fee card data (together with card sort and final 4 digits of the cardboard quantity) for some campus diners.
“The unauthorized particular person accessed contact data of campus diners, in addition to diners, retailers and drivers who interacted with our buyer care service,” GrubHub stated.
“The unauthorized occasion additionally accessed hashed passwords for sure legacy techniques, and we proactively rotated any passwords that we believed may need been in danger.
Whereas the attackers did not entry Grubhub Market account passwords, the corporate urged clients to at all times use distinctive passwords to attenuate dangers.
A Grubhub spokesperson was not instantly out there for remark when contacted by BleepingComputer earlier at present.
Grubhub is a food-ordering and supply platform with over 375,000 retailers and 200,000 supply companions in additional than 4,000 cities nationwide.
In December, it agreed to pay $25 million to settle FTC expenses and cease partaking in illegal practices, together with not telling customers the complete supply price, deceiving drivers about how a lot cash they’d earn, and itemizing eating places on its platform with out their consent.