Grubhub A.I CyberSecurity Scoring
Grubhub
Company Information
Website:http://www.grubhub.com
Employees number:6,717
Number of followers:222,114
NAICS:513
Industry Type:Technology, Information and Internet
Homepage:grubhub.com
Grubhub Risk Score (AI oriented)
Between 550 and 599
GrubhubTechnology, Information and Internet
Updated:
30/04/2026
30/04/2026
557/1000
Very Poor
Ca
Grubhub Global Score (TPRM)
xxxx
GrubhubTechnology, Information and Internet
Score locked

GrubhubVery Poor
Current Score
557Ca (VERY POOR)
01000
5 incidents
-43 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
567
JUNE 2026
565
MAY 2026
561
APRIL 2026
589
Cyber Attack
16 Apr 2026 • Grubhub
Amazon, Temu, Sam’s Club, Grubhub, Lyft, CountryMax and Elf Cosmetics: Misconfigured Server Run by Hackers Leaks 345,000 Stolen Credit Cards
AI Coding Error Exposes Massive Stolen Credit Card Database
555
HIGH-34
ELFTEMCOUGRUAMASAMLYF1777580773
AI Coding Error Exposes Massive Stolen Credit Card Database
On 16 April, cybersecurity researchers uncovered a misconfigured server linked to Jerry’s Store, a dark web carding marketplace where hackers verify stolen credit cards. The leak stemmed from an AI-assisted coding mistake, revealing the group’s entire database including 345,000 credit cards, of which 145,000 were active.
The hackers used Cursor, an AI-powered code editor, to build a statistics dashboard. However, the AI generated an unauthenticated open web directory instead of a secure page, exposing the server to public access. Researchers found that Cursor’s lack of safety guardrails allowed the tool to assist in criminal activity without intervention, despite recognizing its use for credit card fraud.
The group tested stolen cards by making small transactions on major platforms, including Amazon (US & JP), Grubhub, Sam’s Club, Temu, Lyft, Elf Cosmetics, and CountryMax. Successful payments confirmed a card’s validity, increasing its dark web value $7 to $18 per card, with the full dataset potentially worth $2.6 million.
The exposed data included card numbers, security codes, cardholder names, and home addresses. Jerry’s Store, launched in late 2023, appears to be operated by a Chinese-speaking individual, though the server was hosted in Germany, likely via a bulletproof hosting provider to evade detection.
While the incident highlights risks in AI-assisted development, researchers noted that the leak also disrupted criminal operations by exposing their methods. Cursor has not yet responded to the findings.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
MARCH 2026
584
FEBRUARY 2026
581
JANUARY 2026
630
Breach
20 Jan 2026 • Grubhub
Grubhub: Suit Says Grubhub Failed To Protect Private Info From Breach
Grubhub Faces Class Action Lawsuit Over Alleged Data Breach Failures
578
CRITICAL-52
GRU1768977235
Grubhub Faces Class Action Lawsuit Over Alleged Data Breach Failures
A potential class action lawsuit was filed against Grubhub in Illinois federal court on Monday, accusing the food delivery platform of failing to protect sensitive personal data belonging to diners and drivers. The plaintiffs allege that Grubhub’s inadequate security measures left their information vulnerable to a breach, though specific details of the incident including the timing, scope, and nature of the exposed data were not disclosed in the filing.
The case, Mintz v. Grubhub Holdings Inc., seeks damages for affected users, who may include both customers and delivery workers. The lawsuit highlights growing legal scrutiny over how companies handle and secure personal data, particularly in industries reliant on digital transactions.
As of the filing date, Grubhub has not publicly responded to the allegations. The outcome of the case could set precedents for data protection standards in the gig economy and delivery services sector. Further developments are expected as the litigation progresses.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
DECEMBER 2025
678
NOVEMBER 2025
676
OCTOBER 2025
622
SEPTEMBER 2025
619
AUGUST 2025
616
FEBRUARY 2025
645
Breach
01 Feb 2025 • Grubhub
Grubhub: Grubhub confirms hackers stole data in recent security breach
Grubhub Data Breach Amid Extortion Demands by ShinyHunters
594
CRITICAL-51
GRU1768529823
Grubhub Confirms Data Breach Amid Extortion Demands by ShinyHunters
Grubhub has acknowledged a recent data breach after hackers accessed its systems, with sources indicating the company is now facing extortion demands. The food delivery platform confirmed unauthorized access but stated that sensitive data such as financial information or order history remained unaffected.
While Grubhub declined to provide further details, including the breach timeline or whether customer data was compromised, it confirmed collaboration with a third-party cybersecurity firm and law enforcement. Multiple sources identified the ShinyHunters cybercrime group as the likely perpetrators, though the threat actors refused to comment when contacted.
The extortion demands reportedly involve Bitcoin payments to prevent the release of stolen data, including older Salesforce records from a February 2025 breach and newer Zendesk data accessed in the recent incident. Grubhub uses Zendesk for its customer support chat system, which handles orders, account issues, and billing.
The breach appears linked to credentials stolen during the August 2025 Salesloft Drift attacks, where threat actors exploited stolen OAuth tokens to compromise Salesforce integrations. Google’s Mandiant reported that the stolen data including AWS access keys, passwords, and Snowflake tokens was later used in follow-up attacks. ShinyHunters previously claimed responsibility for the Salesloft breach, alleging the theft of 1.5 billion records from 760 companies.
This incident follows a separate wave of scam emails sent from Grubhub’s b.grubhub.com subdomain last month, promoting a cryptocurrency scam. While Grubhub stated it contained the issue, it remains unclear whether the two events are connected.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
JANUARY 2025
705
Breach
01 Jan 2025 • Grubhub
Grubhub: Ex-Grubhub Worker Alleges Food App Negligently Allowed Data Hack
Grubhub Faces Class Action Lawsuit Over January 2025 Data Breach
643
CRITICAL-62
GRU1769118538
Grubhub Faces Class Action Lawsuit Over January 2025 Data Breach
A former Grubhub employee has filed a class action lawsuit against the food delivery platform, alleging the company failed to implement adequate security measures to protect sensitive personal and financial data. The complaint, filed on February 5, 2025, in the U.S. District Court for the Northern District of Illinois, claims cybercriminals accessed the information of tens of thousands of customers and employees in a January 2025 breach.
The exposed data reportedly included Social Security numbers, addresses, and financial details. Grubhub notified affected individuals on February 3, 2025, acknowledging the incident. The lawsuit, led by plaintiff Brian Bianchi, accuses Grubhub of negligence in safeguarding user data, potentially leaving victims vulnerable to identity theft and fraud.
The case highlights growing scrutiny over corporate cybersecurity practices and the legal consequences of failing to protect consumer information. No further details on the breach’s scope or the attackers’ methods have been disclosed.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
SEPTEMBER 2024
788
Breach
01 Sep 2024 • Grubhub
Grubhub, Popeyes and Restaurant Brands Inc.: What Restaurants Need to Know About Managing Third-Party Cyber Risks
Grubhub Breach Highlights Growing Third-Party Cyber Risks in the Restaurant Industry
700
CRITICAL-88
GRUPOPRES1769017007
Grubhub Breach Highlights Growing Third-Party Cyber Risks in the Restaurant Industry
In early 2025, Grubhub one of the largest third-party vendors serving the U.S. restaurant sector fell victim to a cyber incident originating from one of its own service providers. The breach underscored a troubling trend: restaurants are increasingly targeted through vulnerabilities in their interconnected digital supply chains.
The problem extends beyond isolated incidents. In September 2024, ethical hackers uncovered "catastrophic" flaws in Restaurant Brands Inc.’s systems, affecting Burger King and Popeyes. These included hard-coded passwords that could disrupt operations, raising concerns that malicious actors may have already exploited similar weaknesses. On average, restaurant breaches go undetected for 212 days, giving attackers ample time to steal payment card data, loyalty program details, and employee records.
The industry’s rapid digitization has expanded its attack surface. Approximately 80% of restaurant transactions are now electronic, with tech powering everything from point-of-sale systems to kitchen management and third-party delivery platforms. However, this reliance on vendors and their vendors creates a high-risk ecosystem. Third-party breaches now account for 30% of all cyber incidents, doubling in the past year.
The financial toll is severe. Hospitality cyber incidents cost between $3.4 million and $3.9 million per breach, driven by lost business, forensic investigations, and regulatory penalties. For individual operators, the impact is even more acute. A mid-sized franchisee with 15 locations faced additional costs after a breach via its payroll provider, including state-mandated notifications, business interruption, and credit monitoring for affected customers.
To mitigate these risks, experts emphasize the need for rigorous vendor audits. Key steps include assessing vendors’ security policies, response plans, staff training, and compliance with standards like SOC and PCI DSS. Contracts should also clarify indemnities, as even robust vendor protections may not fully shield operators from fallout.
Cyber insurance has become a critical safeguard, covering first- and third-party liabilities. However, policies must be carefully structured to address exposures like wire transfer fraud, credit card breaches, and business interruption. The evolving regulatory landscape with varying state laws adds another layer of complexity, as some insurers exclude coverage for emerging compliance risks.
The Grubhub incident serves as a stark reminder: in an industry where digital dependencies are unavoidable, third-party vulnerabilities are a persistent and escalating threat.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for Grubhub ??
What was Grubhub's A.I Rankiteo Cyber Score in June 2026 ??
What was Grubhub's A.I Rankiteo Cyber Score in May 2026 ??
What was Grubhub's A.I Rankiteo Cyber Score in April 2026 ??
What was Grubhub's A.I Rankiteo Cyber Score in March 2026 ??
What was Grubhub's A.I Rankiteo Cyber Score in February 2026 ??
What was Grubhub's A.I Rankiteo Cyber Score in January 2026 ??
What was Grubhub's A.I Rankiteo Cyber Score in December 2025 ??
What was Grubhub's A.I Rankiteo Cyber Score in November 2025 ??
What was Grubhub's A.I Rankiteo Cyber Score in October 2025 ??
What was Grubhub's A.I Rankiteo Cyber Score in September 2025 ??
What was Grubhub's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on Grubhub's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with Grubhub ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view Grubhub's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?