Some Grubhub customers around the Bay Area say their inboxes lit up yesterday evening with emails that looked legit, sounded urgent, and pushed a too-good-to-be-true crypto “deal” straight out of a scammer’s playbook.
The messages told recipients to send bitcoin to a specific wallet address and claimed Grubhub would “10x” whatever they sent. Several customers told reporters the pitches felt oddly personal and time-sensitive, with at least one follow-up email allegedly warning there were only “30 minutes” left to cash in on the so-called promotion.
What the emails said
Screenshots reviewed by reporters show the emails using a Grubhub-style sender name and casual greetings like “happy holidays,” then steering readers toward sending cryptocurrency, as reported by KRON4. One published email header listed the sender as [email protected]. KRON4 also noted it is not clear whether the Tuesday messages are tied to any previous security incident.
Earlier vendor breach provides possible source
Back in February, Grubhub disclosed that a third-party vendor incident had allowed unauthorized access to certain customer, driver, and merchant contact information. The company said it rotated affected passwords and brought in forensic experts to investigate, according to a Grubhub statement. National coverage of that February disclosure documented that the exposed data included names, email addresses, and phone numbers, which are exactly the kinds of details scammers like to reuse to craft convincing phishing messages, per TechCrunch.
Why stolen contact info matters
Security reporting on the earlier incident warned that even basic contact details and partial card data can be enough to nudge people into responding to scams, per reporting from cybersecurity outlets. Criminals often bundle up leaked information and sell it on underground forums, then use those names, emails, and numbers to make phishing messages feel tailored and trustworthy, which increases the odds that someone will click a link or send money, according to BleepingComputer.
How to protect yourself
The golden rule still applies here: do not send cryptocurrency or click links in unsolicited emails. The Federal Trade Commission says legitimate companies and government agencies will not ask you to pay with bitcoin or gift cards. If one of these messages landed in your inbox, delete it, report it to your email provider, and file a complaint with the FTC at ReportFraud.ftc.gov. The agency also recommends changing your Grubhub password and turning on two-factor authentication for extra protection, per FTC guidance.
