Summary: Grubhub has confirmed a significant data breach linked to the ongoing Salesforce/Zendesk credential theft campaign. The threat actor group “ShinyHunters” is allegedly behind the attack, utilizing stolen OAuth integration tokens to gain pre-authenticated access to Grubhub’s SaaS environment. The group is now demanding a Bitcoin ransom to prevent the release of both legacy and recent customer data.
Business Impact: High. This demonstrates the “long tail” of SaaS supply chain attacks. Even if your core infrastructure is secure, your integrations with major platforms like Salesforce can be used as a “side door.” For your clients in Bahrain, this highlights the risk of “Token Theft” over traditional password-based attacks.
Why It Happened: Attackers used a large cache of OAuth tokens harvested during previous “vishing” (voice phishing) campaigns against Salesforce administrators. These tokens allow attackers to “work through an inventory” of victims over time without needing to re-break in.
Recommended Executive Action: Conduct an immediate “SaaS Token Audit.” Force-expire all high-privilege OAuth sessions for Salesforce, Zendesk, and Slack integrations. Implement continuous monitoring for anomalous data downloads originating from third-party app connectors.
Hashtags: #Grubhub #SalesforceBreach #ShinyHunters #SaaSSecurity #TokenTheft #SupplyChain