Cybercriminals claim to have gained access to more than 70 million records from delivery service GrubHub, including 17 million hashed passwords, email addresses, and phone numbers. The breach, believed to have occurred in February 2025, was the result of an intervention by a third-party contractor.
A GrubHub leak has been listed for sale on a hacker forum. The attackers claim to have obtained more than 1 gigabyte of data, including:
– usernames
– email addresses
– passwords hashed with the SHA1 algorithm — an outdated algorithm that is vulnerable to collision attacks
– phone numbersAnalysts have confirmed the authenticity of the sample records. This data can be used for phishing campaigns, identity theft and credential stuffing attacks – attempts to gain access to other accounts using the same logins and passwords.
GrubHub is one of the largest food delivery platforms in the US, serving more than 4,000 cities, cooperating with 375,000 partner restaurants and having an annual turnover of almost $2 billion. The hack was another case where service providers become a vulnerable link in the cybersecurity chain. SHA1, used for hashing passwords, has been deprecated for several years due to its low resistance to hacking.
If the hackers’ information is confirmed, this will be one of the largest data leaks in the online delivery sector. GrubHub risks losing the trust of millions of customers and millions of users – being subjected to phishing attacks. The incident highlights the vulnerability of large technology companies due to unreliable external links. Users are advised to change their passwords immediately and enable two-factor authentication.
155 
136 
134 