Grubhub confirmed hackers accessed its systems and stole data, with sources linking the attack to the ShinyHunters group and the widespread Salesloft Drift credential theft campaign from August 2025. The incident demonstrates how stolen OAuth tokens from a single integration can cascade into downstream attacks across multiple platforms.
Food delivery platform Grubhub confirmed this week that unauthorized actors downloaded data from its systems, marking the latest victim in a chain of attacks stemming from the Salesloft Drift data theft incidents of August 2025. While Grubhub stated that sensitive financial information and order history remain secure, sources familiar with the investigation indicate the company is facing extortion demands from the ShinyHunters cybercrime group.
The Attack Chain: From Salesloft to Zendesk
The breach appears to trace back to compromised OAuth tokens used by Salesloft's Drift integration with Salesforce. Between August 8 and August 18, 2025, threat actors exploited these tokens to conduct a massive data theft campaign affecting 760 companies. According to Google's Threat Intelligence Group (GTIG), the attackers, tracked as UNC6395, harvested sensitive credentials including AWS access keys, passwords, and Snowflake access tokens from the compromised Salesforce environments.
ShinyHunters, the group claiming responsibility for the Salesloft Drift attacks, allegedly stole approximately 1.5 billion records from Salesforce object tables including Account, Contact, Case, Opportunity, and User data. This treasure trove of information has now become the foundation for follow-on attacks against downstream services.
In Grubhub's case, the attackers reportedly used credentials stolen during the Salesloft Drift campaign to access the company's Zendesk support platform. Zendesk powers Grubhub's online support chat system, handling customer inquiries about orders, account issues, and billing. The breach also potentially exposed older Salesforce data from a separate February 2025 incident, according to sources close to the investigation.
Extortion and the ShinyHunters Connection
Multiple sources confirm that ShinyHunters is demanding Bitcoin payment to prevent the release of both the older Salesforce data and the newer Zendesk information. This double-extortion tactic has become standard practice for ransomware and data theft groups, where victims face both the operational disruption of a breach and the reputational damage of public data disclosure.
The group's ability to pivot from Salesforce credentials to Zendesk access illustrates a critical vulnerability in modern SaaS ecosystems: the interconnected nature of business tools creates a cascade effect where compromise of one service can unlock others. Grubhub's use of Zendesk for customer support meant that the breach potentially exposed communication logs, account details, and support ticket information, even if financial data remained segregated.
Broader Implications for SaaS Security
This incident represents a textbook case of supply chain compromise affecting cloud infrastructure. The Salesloft Drift integration itself wasn't malicious—legitimate OAuth tokens were stolen and abused. This highlights the challenge organizations face in managing third-party integrations:
Token Management: OAuth tokens, once issued, often remain valid for extended periods unless explicitly revoked. Attackers can exploit this persistence.
Credential Sprawl: Credentials harvested from one platform (Salesforce) were used to attack another (Zendesk), demonstrating how secrets scattered across SaaS tools create multiple attack vectors.
Detection Gaps: The initial Salesloft Drift compromise occurred in August, but Grubhub's breach appears to have happened more recently, suggesting attackers may sit on stolen credentials for weeks before deploying them.
Practical Security Recommendations
Organizations using Salesloft Drift or similar Salesforce integrations should take immediate action:
Rotate All Credentials: Every AWS access key, password, Snowflake token, and OAuth credential exposed in the Salesloft Drift breach must be rotated. This includes credentials that might seem tangentially related—attackers often chain permissions together.
Audit Integration Access: Review all third-party integrations connected to your Salesforce instance. Limit permissions to the minimum necessary scope and implement regular token rotation policies.
Implement Anomaly Detection: Monitor for unusual access patterns, particularly cross-platform activity. A Zendesk login from credentials harvested from Salesforce should trigger immediate alerts.
Segment SaaS Access: Consider using separate identities for different SaaS platforms, even if they're integrated. This prevents a compromise in one from automatically granting access to others.
Review Support Platform Data: Organizations using Zendesk or similar support platforms should audit what sensitive information is accessible through those systems and implement additional access controls.
The Ongoing Threat
The Grubhub breach serves as a reminder that the fallout from the Salesloft Drift attacks continues to unfold. Security researchers anticipate additional victims will be identified as threat actors exhaust their inventory of stolen credentials. The incident also underscores the importance of rapid incident response—Grubhub's statement emphasizes that they "quickly investigated, stopped the activity, and are taking steps to further increase our security posture."
For customers, the immediate risk appears limited based on Grubhub's statements about financial data security. However, the exposure of support communications and account information could still enable targeted phishing attacks or social engineering attempts. Users should remain vigilant for suspicious emails claiming to be from Grubhub, particularly those referencing support tickets or account issues.
The broader lesson for enterprises is clear: in an interconnected SaaS ecosystem, security is only as strong as the weakest link in your integration chain. The Salesloft Drift incident has created a long tail of secondary breaches that will likely continue emerging throughout 2026, making comprehensive credential rotation and integration security review an urgent priority for any organization that hasn't yet addressed the initial compromise.
Comments
Please log in or register to join the discussion