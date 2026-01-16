Grubhub data stolen in apparent Salesloft Drift breach; ShinyHunters now extorting company

Attackers threaten to leak Salesforce and Zendesk data unless paid in bitcoin

At least 31 organizations hit in related breaches since August 2025

It seems that we can now add Grubhub to the ever-expanding list of businesses which had data stolen in the Salesloft Drift security fiasco.

Exclusive reporting from BleepingComputer claims Grubhub, a popular US food delivery platform, got hacked, and is now being extorted for money.

"We're aware of unauthorized individuals who recently downloaded data from certain Grubhub systems," Grubhub said. "We quickly investigated, stopped the activity, and are taking steps to further increase our security posture. Sensitive information, such as financial information or order history, was not affected."

ShinyHunters and Salesloft Drift

Still, some information was taken, and at this time, we don’t know which, or how many people are affected. Police have been notified, it was said, and external cybersecurity experts were brought in to assist.

Citing sources familiar with the matter, the publication says that the infamous ShinyHunters ransomware group was behind the attack. They are now asking for payment in bitcoin, to keep Salesforce and Zendesk data from being leaked on the dark web. Salesforce data is apparently from a February 2025 breach, while Zendesk data is newer.

The breach happened after Grubhub’s login credentials and secrets got leaked through the Salesloft Drift attacks. For those with a shorter memory span, in August 2025 hackers stole OAuth tokens for Salesloft’s Salesforce integration, and in the course of the next couple of months, exfiltrated sensitive data on dozens, if not hundreds, of organizations all over the world.

So far, there are at least 31 confirmed cases of data breaches related to the Salesloft Drift incident, including Dynatrace, Cloudflare, Palo Alto Networks, and many others. The full list can be found on this link.

The group known as ShinyHunters claimed responsibility for the attack. This is a ransomware actor that abandoned the encryption part of the process and focuses solely on data exfiltration.

