Podcast Episode
However, sources familiar with the matter revealed that threat actors are demanding cryptocurrency payment to prevent the release of two separate data sets: older Salesforce data from a February 2025 breach and newer Zendesk data stolen in the recent intrusion. Grubhub uses Zendesk to power its online customer support chat system. The company has not responded to questions about the timing of the breach, whether customer data was involved, or confirmation of extortion demands.
ShinyHunters, a notorious cybercrime group known for abandoning traditional ransomware encryption in favour of pure data exfiltration and extortion, refused to comment when contacted to verify the claims.
The attack's origins trace back to March 2025, when hackers gained unauthorised access to Salesloft's GitHub repository containing private source code. Between March and June 2025, attackers conducted reconnaissance and eventually accessed Drift's Amazon Web Services environment, where they stole OAuth tokens for various technology integrations.
The stolen OAuth credentials provided attackers with a powerful advantage, allowing them to bypass multi-factor authentication and other traditional security controls. These tokens function like master keys, granting access without requiring passwords or secondary authentication methods. The compromised data was then used to harvest additional credentials, including AWS access keys, passwords, and Snowflake database tokens, enabling cascading attacks against other platforms.
Between 8 August and 18 August 2025, UNC6395 systematically queried and exported large volumes of records from over 700 organisations. As one ShinyHunters member told The Register, the data from Salesloft Drift breaches enabled entry points into many highly lucrative systems.
On 20 August 2025, Salesforce and Salesloft responded by revoking all Drift OAuth tokens and removing the Drift application from the Salesforce AppExchange pending investigation. The investigation later revealed that the compromise extended beyond just the Salesforce integration, affecting other OAuth tokens for integrations including Drift Email. On 9 August 2025, threat actors used compromised email tokens to access a small number of Google Workspace accounts.
Security experts have emphasised that the scope of this compromise extends to all authentication tokens stored in or connected to the Drift platform. Organisations that used Salesloft Drift should treat any authentication tokens as potentially compromised and rotate all affected access tokens and secrets immediately if they have not already done so.
The FBI released indicators of compromise and defensive tactics in September 2025 to help organisations detect and block potential attacks. However, the threat remains ongoing, with ShinyHunters and associated groups continuing to launch extortion attempts against affected organisations.
This incident serves as a significant case study in supply chain security, demonstrating how a single compromised integration point can create vulnerabilities across hundreds of organisations. As business systems become increasingly interconnected through APIs and third-party integrations, the attack surface expands exponentially, making supply chain security a critical concern for enterprises of all sizes.
Grubhub Data Breach Reveals Massive Supply Chain Attack Affecting 700+ Organisations
January 16, 2026
Audio archived. Episodes older than 60 days are removed to save server storage. Story details remain below.
Food delivery platform Grubhub has confirmed that hackers accessed its systems and downloaded company data, becoming the latest victim of a sprawling supply chain attack that has compromised over 700 organisations since August 2025. The cybercrime group ShinyHunters is reportedly extorting Grubhub for Bitcoin payment to prevent the public release of stolen Salesforce and Zendesk data.
The Breach
Grubhub disclosed the security incident on Wednesday, stating that unauthorised individuals recently downloaded data from certain company systems. The company quickly investigated and stopped the activity, implementing additional security measures. According to Grubhub, sensitive information such as financial data and order history was not affected by the breach.However, sources familiar with the matter revealed that threat actors are demanding cryptocurrency payment to prevent the release of two separate data sets: older Salesforce data from a February 2025 breach and newer Zendesk data stolen in the recent intrusion. Grubhub uses Zendesk to power its online customer support chat system. The company has not responded to questions about the timing of the breach, whether customer data was involved, or confirmation of extortion demands.
ShinyHunters, a notorious cybercrime group known for abandoning traditional ransomware encryption in favour of pure data exfiltration and extortion, refused to comment when contacted to verify the claims.
Connection to Salesloft Drift Campaign
The Grubhub breach occurred after the company's login credentials were compromised through the Salesloft Drift OAuth token attacks. In August 2025, a threat actor tracked by Google Threat Intelligence Group as UNC6395 exploited compromised OAuth tokens from the Salesloft Drift AI chatbot's Salesforce integration to exfiltrate massive volumes of data from corporate Salesforce instances.The attack's origins trace back to March 2025, when hackers gained unauthorised access to Salesloft's GitHub repository containing private source code. Between March and June 2025, attackers conducted reconnaissance and eventually accessed Drift's Amazon Web Services environment, where they stole OAuth tokens for various technology integrations.
The stolen OAuth credentials provided attackers with a powerful advantage, allowing them to bypass multi-factor authentication and other traditional security controls. These tokens function like master keys, granting access without requiring passwords or secondary authentication methods. The compromised data was then used to harvest additional credentials, including AWS access keys, passwords, and Snowflake database tokens, enabling cascading attacks against other platforms.
Between 8 August and 18 August 2025, UNC6395 systematically queried and exported large volumes of records from over 700 organisations. As one ShinyHunters member told The Register, the data from Salesloft Drift breaches enabled entry points into many highly lucrative systems.
Widespread Impact
The Salesloft Drift incident has affected numerous major technology and cybersecurity companies, including Cloudflare, Google, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, Zscaler, Tenable, and CyberArk. ShinyHunters has claimed to have stolen approximately 1.5 billion data records from 760 companies from Salesforce object tables.On 20 August 2025, Salesforce and Salesloft responded by revoking all Drift OAuth tokens and removing the Drift application from the Salesforce AppExchange pending investigation. The investigation later revealed that the compromise extended beyond just the Salesforce integration, affecting other OAuth tokens for integrations including Drift Email. On 9 August 2025, threat actors used compromised email tokens to access a small number of Google Workspace accounts.
Grubhub's Response and History
Grubhub, which operates in over 4,000 US cities with 375,000 merchant partners, confirmed it is working with a third-party cybersecurity firm and has notified law enforcement. This represents the second significant security incident for the company in 2025. In February 2025, Grubhub experienced a separate data breach involving a third-party support service provider, which exposed customer names, email addresses, phone numbers, and hashed passwords.Security Implications
The Salesloft Drift breach highlights the growing risks associated with OAuth integrations and third-party applications that connect to core business systems. When organisations integrate external tools with platforms like Salesforce, they extend trust to the security practices of those third-party vendors. A compromise at the vendor level can cascade into breaches across hundreds of connected organisations.Security experts have emphasised that the scope of this compromise extends to all authentication tokens stored in or connected to the Drift platform. Organisations that used Salesloft Drift should treat any authentication tokens as potentially compromised and rotate all affected access tokens and secrets immediately if they have not already done so.
The FBI released indicators of compromise and defensive tactics in September 2025 to help organisations detect and block potential attacks. However, the threat remains ongoing, with ShinyHunters and associated groups continuing to launch extortion attempts against affected organisations.
This incident serves as a significant case study in supply chain security, demonstrating how a single compromised integration point can create vulnerabilities across hundreds of organisations. As business systems become increasingly interconnected through APIs and third-party integrations, the attack surface expands exponentially, making supply chain security a critical concern for enterprises of all sizes.
Published January 16, 2026 at 5:18pm
