Grub Hub data breach exposed contact and payment information of diners, merchants and drivers — here’s what we know

An external forensic expert hired by GrubHub to assess the impact of the breach did not find evidence that sensitive personal or financial data such as customer passwords, merchant logins, full payment card numbers, bank account details, Social Security numbers or driver’s license numbers, were accessed.

Still, depending on the customer, driver or merchant it’s possible that the attacker may have gained access to names, email addresses, phone numbers or partial payment card information (including card type and the last four digits of the card number).

GrubHub has encouraged customers to always use unique passwords to minimize risk, though attackers did not access GrubHub Marketplace account passwords. “The unauthorized individual accessed contact information of campus diners, as well as diners, merchants and drivers who interacted with our customer care service. They also accessed hashed passwords for certain legacy systems, and we proactively rotated any passwords we believed may have been at risk,” said the company.

GrubHub has rotated passwords to prevent any additional unauthorized access to accounts, and added additional anomaly detection mechanisms across its internal services. There are no details about why these measures were not already implemented, however given the increasing frequency of third-party breaches such preventative measures should be taken ahead of any attacks.

We plan on staying on top of this story and will update it accordingly if and when we find out more.

More from Tom's Guide

• DeepSeek AI banned by NASA, US Navy, and more over privacy concerns
• Almost 1 million Discord users just had their account details exposed in new RestoreCord data breach — what to do now
• Massive healthcare data breach just exposed the personal info of 1 million Americans — what to do now