Grubhub detected unusual activity traced to a compromised third-party contractor account in early 2025. The contractor had access to internal systems used for customer care. Stolen data included names, email addresses, phone numbers, partial payment card details (card type and last 4 digits) for some campus diners, and hashed passwords from legacy systems. Full card numbers, SSNs, bank account details, and driver’s licence numbers were not accessed. Grubhub immediately terminated the contractor’s access and removed the provider. ShinyHunters claimed responsibility for the extortion attempt, reportedly demanding Bitcoin payment to avoid publishing older Salesforce records from a February 2025 breach and newer Zendesk data. Food delivery platform breach via third-party vendor; highlights risks of contractor access to customer support systems.