We recently identified a security incident involving a third-party contractor, resulting in unauthorized access to certain user contact information. We took immediate action to contain the situation and have worked with leading forensic experts to investigate the matter. We are confident that the incident has been fully contained.

What Happened?

We recently detected unusual activity within our environment traced to a third-party service provider for our Support Team. Upon discovery, we promptly launched an investigation, identifying unauthorized access to an account associated with this provider. We immediately terminated the account’s access and removed the service provider from our systems altogether.

What Data Was Accessed?

The unauthorized individual accessed contact information of campus diners, as well as diners, merchants and drivers who interacted with our customer care service. The following data was accessed, varying by individual:

• Names, email addresses and phone numbers
• Partial payment card information for a subset of campus diners (card type and last four digits of the card number)

The unauthorized party also accessed hashed passwords for certain legacy systems, and we proactively rotated any passwords that we believed might have been at risk. While the threat actor did not access any passwords associated with Grubhub Marketplace accounts, as always, we encourage customers to use unique passwords to minimize risk.

What Data Was NOT Accessed?

Our investigation confirms that the unauthorized party did not access sensitive personal information including:

• Grubhub Marketplace customer passwords
• Merchant login information
• Full payment card numbers
• Bank account details
• Social Security or driver’s license numbers

How Did This Happen?

Our investigation found that the intrusion originated with an account belonging to a third-party service provider that provided support services to Grubhub.

 How We Responded

To address the incident and further enhance our security, we implemented the following measures:

• Engaged Forensic Experts: Partnered with a third-party cybersecurity firm for a comprehensive investigation.
• Strengthened Credential Security: Rotated all relevant passwords to prevent potential unauthorized access.
• Enhanced Monitoring: Deployed additional anomaly detection mechanisms across internal services.

 Our Commitment to Security

We remain dedicated to protecting the trust placed in us by our customers, merchants, and drivers. We have taken decisive steps to further secure our systems and are actively strengthening our security controls to prevent similar incidents in the future.