HungerRush Customers Receive Mass Extortion Emails as Hacker Claims Restaurant Data Breach

Summary

Customers of restaurants using HungerRush's point-of-sale platform received extortion emails on March 4, 2026, from a threat actor claiming to possess millions of customer records. The emails, sent through HungerRush's own email infrastructure via Twilio SendGrid, threatened to expose restaurant and customer data if the company failed to respond to extortion demands. The messages originated from legitimate HungerRush email addresses and passed standard authentication checks, indicating the attacker had compromised the company's email-sending capabilities.

The second email escalated threats by claiming access to comprehensive customer data including names, emails, passwords, addresses, phone numbers, dates of birth, and credit card information across millions of records. Security researcher Alon Gal from Hudson Rock revealed that infostealer logs suggest a HungerRush employee's device was infected with malware in October 2025, potentially compromising credentials for various corporate systems including NetSuite, QuickBooks, Stripe, and Salesforce.

HungerRush, which serves over 16,000 restaurants including major chains like Sbarro and Jet's Pizza, has not yet confirmed whether a breach occurred or if unauthorized access to its systems was achieved. The incident highlights the vulnerability of restaurant technology providers that process sensitive payment and customer information, and raises concerns about supply chain security in the hospitality industry.

• The emails passed SPF, DKIM, and DMARC authentication checks, confirming they were sent through authorized channels