HungerRush, a major U.S. restaurant technology provider serving over 16,000 quick-service, fast-casual, and pizza locations across North America, has been hit by a severe supply chain compromise. The incident, validated on monitored underground cybercrime channels on May 31, 2026, involved the hijacking of Twilio SendGrid API tokens, mass extortion emails sent directly to end consumers, and the public liquidation of two unencrypted master data tables containing both patron PII and B2B merchant records.
What Happened
On May 31, 2026, threat intelligence monitoring confirmed the surfacing of a data liquidation and corporate extortion thread on prominent hacker forums targeting HungerRush (hungerrush.com). The threat actors compromised the platform's centralized databases, digital ordering channels, and cloud-hosted management environments, which serve as the backbone for POS transactions, online ordering, and delivery management across thousands of franchised restaurant locations.
After hijacking the company's Twilio SendGrid API access tokens, normally used to dispatch automated transaction receipts, the adversary bypassed traditional closed-door negotiations entirely. Instead, they mass-mailed extortion demands directly to millions of end consumers and restaurant patrons through HungerRush's own trusted email infrastructure. When the company refused to pay, the actors publicly published the stolen relational data tables on underground forums.
What Was Taken
The leaked data spans two comprehensive master tables harvested from HungerRush's centralized supply chain ingress:
- Patron Core PII: Full names, email streams, phone numbers, physical addresses, and dates of birth belonging to restaurant customers across the HungerRush network.
- B2B Merchant Layer: Business names, owner names, contact emails, and operational metadata for the franchised restaurant locations using the platform.
- Operational Telemetry: Real-time transactional metrics tied to thousand-node restaurant franchises, providing a map of business activity and infrastructure relationships.
The volume reflects exposure across HungerRush's footprint of more than 16,000 restaurant locations, making this one of the larger consumer-impacting hospitality breaches of the year.
Why It Matters
This breach demonstrates how B2B SaaS aggregators function as high-yield supply chain pivot points. A single intrusion against a centralized restaurant technology vendor cascades downstream into thousands of franchises and millions of consumer records, all in one breach cycle. The attacker's choice to weaponize SendGrid to mail extortion notes directly from a trusted sender domain represents an evolution in pressure tactics: it bypasses the victim's PR controls, weaponizes brand trust, and converts every consumer into a secondary leverage point against the vendor.
The incident also underscores the long tail of infostealer infections. A single endpoint compromise from October 2025 produced credentials that remained viable seven months later, enabling a multi-million record liquidation event.
The Attack Technique
Forensic indicators point to siphoned corporate credentials harvested through an October 2025 infostealer malware infection on an internal HungerRush device. Those credentials were used to access the company's Twilio SendGrid integration, where the attackers extracted API tokens originally provisioned for transactional receipt generation.
With SendGrid access in hand, the threat actors pivoted into the broader cloud-hosted management environment, exfiltrating both consumer and merchant relational tables. The final stage involved mass abuse of the SendGrid API itself to deliver extortion correspondence to the harvested consumer email list, simultaneously notifying victims and amplifying public pressure on HungerRush to pay.
What Organizations Should Do
- Rotate all third-party email and messaging API tokens (SendGrid, Twilio, Mailgun, Postmark) immediately, and scope new tokens to the minimum required IP ranges, sender domains, and permission levels.
- Audit infostealer exposure by monitoring stealer log marketplaces and underground channels for any references to corporate domains or employee email addresses, and force credential resets on any matches dating back at least 12 months.
- Enforce phishing-resistant MFA (FIDO2/WebAuthn) on all SaaS administrative consoles, especially marketing automation, transactional email, and POS management platforms.
- Implement anomaly detection on outbound email volume and recipient diversity in transactional email services to detect mass-extortion or spam abuse of legitimate sending infrastructure.
- Segment B2B SaaS integrations so that a compromise of any single vendor token cannot pivot into customer PII databases or cross-tenant management environments.
- Prepare consumer-facing breach response playbooks that anticipate attackers contacting customers directly, including pre-drafted communications, abuse-channel coordination with SendGrid/Twilio, and rapid takedown procedures.