U.S. food delivery giant Grubhub says hackers accessed the personal details of customers and drivers after breaching its internal systems. 

Grubhub is a popular food-ordering and delivery platform with over 375,000 merchants and 200,000 delivery providers using its platform in more than 4,000 U.S. cities. New York-based Wonder Group acquired the company last fall in a deal valued at $650 million — a fraction of the $7.3 billion Just Eat Takeaway paid for it back in 2020. 

On Monday, the Illinois-based company disclosed a data breach impacting the personal data of an undisclosed number of customers, merchants and drivers. Grubhub said it detected “unusual activity” in its network which it traced to a third-party service provider. 

“Upon discovery, we promptly launched an investigation, identifying unauthorized access to an account associated with this provider,” Grubhub said in a statement. “We immediately terminated the account’s access and removed the service provider from our systems altogether.”

It said the intrusion allowed unnamed hackers to access the personal details of customers, merchants and drivers who interacted with its customer care service. The breach also affected users of Grubhub’s Campus Dining service, which allows university students to use their meal credits on the food delivery app. 

According to Grubhub personal details accessed include names, email addresses, phone numbers, and partial payment card information — including the last four digits of the card number — for a “subset” of campus diners. The hacker also accessed hashed passwords for certain legacy systems, per Grubhub, but it added that bank account details and Social Security numbers were not affected by the breach. 

As well as not disclosing how many individuals have been affected by the breach Grubhub has not confirmed when the incident occurred.

The company did not immediately respond to TechCrunch’s questions.