- Grubhub data stolen in apparent Salesloft Drift breach; ShinyHunters now extorting company
- Attackers threaten to leak Salesforce and Zendesk data unless paid in bitcoin
- At least 31 organizations hit in related breaches since August 2025
Grubhub has joined the growing list of companies affected by the Salesloft Drift security breach.
According to exclusive reports from BleepingComputer, the popular US food delivery service has been hacked and is currently facing extortion demands.
Grubhub confirmed, "We're aware of unauthorized individuals who recently downloaded data from certain Grubhub systems. We quickly investigated, stopped the activity, and are taking steps to further increase our security posture. Sensitive information, such as financial information or order history, was not affected."
ShinyHunters and Salesloft Drift
While some data was compromised, the specifics regarding the number of affected individuals remain unclear. Authorities have been notified, and external cybersecurity experts are assisting with the investigation.
Sources indicate that the notorious ShinyHunters ransomware group is behind this attack, demanding payment in bitcoin to prevent the release of Salesforce and Zendesk data on the dark web. The Salesforce data reportedly stems from a breach in February 2025, while the Zendesk data is more recent.
The breach occurred after Grubhub’s login credentials were leaked during the Salesloft Drift attacks. In August 2025, hackers stole OAuth tokens for Salesloft’s Salesforce integration, leading to the exfiltration of sensitive data from numerous organizations worldwide.
To date, at least 31 confirmed cases of data breaches are linked to the Salesloft Drift incident, affecting companies like Dynatrace, Cloudflare, and Palo Alto Networks. A complete list can be found on this link.
The ShinyHunters group has claimed responsibility for the attack, focusing solely on data exfiltration rather than encryption.