Full Report
Customers of restaurants using the HungerRush point-of-sale (POS) platform say they received emails from a threat actor attempting to extort the company, warning that restaurant and customer data could be exposed if HungerRush fails to respond. [...]
Analysis Summary
# Incident Report: HungerRush POS Extortion and Data Breach Claim
## Executive Summary
HungerRush, a major restaurant POS provider, is facing an extortion attempt by a threat actor who has gained unauthorized access to their email infrastructure. The attacker mass-mailed restaurant patrons claiming to have stolen millions of records, including PII and credit card data, after the company allegedly ignored previous extortion demands. Evidence suggests the breach may be linked to an infostealer infection on an employee device.
## Incident Details
- **Discovery Date:** March 4, 2026
- **Incident Date:** Ongoing (Initial compromise suspected October 2025)
- **Affected Organization:** HungerRush
- **Sector:** Technology / Restaurant Point-of-Sale (POS)
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** Circa October 2025
- **Vector:** Infostealer Malware
- **Details:** An infostealer infection on a HungerRush employee's device allegedly compromised extensive corporate credentials.
### Lateral Movement
- **Details:** Using stolen credentials, the attacker likely accessed internal environments, including the company’s Twilio SendGrid account, used for transactional emails (receipts).
### Data Exfiltration/Impact
- **Details:** The attacker claims to have exfiltrated data records for millions of customers, including names, emails, hashed passwords, addresses, phone numbers, DoBs, and credit card info.
### Detection & Response
- **Date/Time:** March 4, 2026, Early Morning
- **How it was discovered:** Customers began reporting extortion emails sent from legitimate HungerRush domains (support[@]hungerrush.com).
- **Response actions taken:** External security researchers (Hudson Rock) identified related infostealer logs; the company was contacted for comment (investigation ongoing).
## Attack Methodology
- **Initial Access:** Infostealer malware (logs indicate an October 2025 infection).
- **Persistence:** Possession of multiple corporate credentials (NetSuite, Salesforce, etc.).
- **Defense Evasion:** Use of legitimate company infrastructure (SendGrid) and authenticated domains to bypass SPAM/DMARC filters.
- **Credential Access:** Theft of credentials for Stripe, Bill.com, Visa Online, and Salesforce via malware.
- **Exfiltration:** Use of mass-emailing as an extortion lever (Impact-based exfiltration).
- **Impact:** Brand damage and attempted extortion.
## Impact Assessment
- **Financial:** Risk of extortion payment; potential PCI-DSS non-compliance fines if credit card data is confirmed stolen.
- **Data Breach:** Claimed millions of records (PII and Financial data).
- **Operational:** Disruption to customer communication channels.
- **Reputational:** High; public extortion emails sent directly to the clients' end-customers (Sbarro, Jet's Pizza, etc.).
## Indicators of Compromise
- **Network indicators:**
- 159.183.129[.]119 (Authorized SendGrid IP used for extortion)
- o10.e.hungerrush[.]com
- **Behavioral indicators:**
- Unauthorized transactional emails sent via SendGrid.
- Employee logins from unrecognized geographic locations (associated with infostealer logs).
## Response Actions
- **Containment:** Verification and potential revocation of SendGrid API keys and compromised employee credentials.
- **Eradication:** Investigation of the infected employee device identified in October 2025.
- **Recovery:** Public messaging to reassure customers and patrons to watch for phishing.
## Lessons Learned
- **Credential Hygiene:** Infostealer infections can lie dormant for months before a threat actor chooses to monetize or act on the stolen data.
- **Identity Management:** Multi-Factor Authentication (MFA) must be enforced across all SaaS platforms (SendGrid, Salesforce, Stripe) to prevent stolen credentials from being useful.
- **Third-Party Risk:** Compromising a POS provider allows a "one-to-many" attack on thousands of downstream restaurant brands.
## Recommendations
- **Implement Hardware MFA:** Transition from SMS/Push-based MFA to FIDO2 hardware keys to mitigate infostealer/session hijacking risks.
- **API Key Scoping:** Restrict SendGrid API keys to specific IP ranges and limit permissions to prevent mass-mailing capability by unauthorized users.
- **Endpoint Detection & Response (EDR):** Deploy robust EDR solutions to detect infostealer activity (e.g., RedLine, Lumma, Vidar) before credentials can be exfiltrated.
- **Credential Rotation:** Force a company-wide password reset and session invalidation for all critical business platforms (Salesforce, Stripe, NetSuite).