A threat actor has launched a mass email campaign targeting customers of restaurants that use the HungerRush point-of-sale (POS) platform. The attacker claims to possess sensitive restaurant and customer data and is attempting to pressure the company into paying an extortion demand.
The campaign involved sending emails directly to restaurant patrons warning that millions of records could be exposed if the company fails to respond to the attacker’s demands.
HungerRush provides restaurant technology including POS systems, online ordering platforms, delivery management tools, and payment processing services. The company reportedly works with more than 16,000 restaurants, including chains such as Sbarro, Jet’s Pizza, Fajita Pete’s, and Hungry Howie’s.
Timeline of the Extortion Campaign
Initial Email
The attacker began sending emails early Wednesday morning to individuals who had previously ordered food from restaurants using HungerRush systems.
The first email was sent from:
[email protected]
The message warned the company not to ignore previous extortion attempts and suggested that customer data was at risk.
Excerpt from the message:
“You cannot ignore all my requests and expect me not to take malicious actions.”
The email implied that both restaurant and consumer data could be compromised if the company failed to respond.
Escalation Email
Approximately three hours later, the attacker sent a second email from:
[email protected]
In this message, the attacker escalated the threats, claiming to have access to millions of customer records.
The alleged exposed data included:
- Full names
- Email addresses
- Passwords
- Home addresses
- Phone numbers
- Dates of birth
- Credit card information
The attacker used these claims to pressure HungerRush into paying an unspecified ransom.
Email Infrastructure Used in the Attack
Analysis of the email headers showed the messages were sent via Twilio SendGrid infrastructure.
Key findings:
- Emails originated from the domain: o10.e.hungerrush.com
- IP address involved: 159.183.129.119
This infrastructure is associated with the Twilio email delivery service SendGrid, commonly used for transactional emails such as receipts and marketing messages.
Importantly, the emails passed authentication checks, including:
- SPF
- DKIM
- DMARC
This indicates the attacker likely had access to an authorized email-sending system or credentials associated with the domain.
Possible Initial Access Vector
Security researcher Alon Gal, co-founder and CTO of Hudson Rock, suggested that earlier infostealer malware logs might provide clues about the breach.
According to Gal, logs indicate that a HungerRush employee device may have been infected with an infostealer in October 2025, potentially leaking corporate credentials.
The stolen credentials reportedly included access to several corporate platforms:
- NetSuite
- QuickBooks-related services
- Stripe dashboards
- Bill.com vendor payment systems
- Visa Online commercial services
- Salesforce environments
However, it remains unclear whether these stolen credentials were directly connected to the extortion campaign.
HungerRush Official Response
HungerRush confirmed it is investigating the incident and has notified law enforcement authorities.
The company stated:
“We are aware of the situation and are actively investigating in coordination with the appropriate authorities.”
After further investigation, HungerRush clarified that the incident was not related to the infostealer infection reported earlier.
Instead, the breach was attributed to:
Compromised credentials belonging to a third-party vendor, which allowed attackers to access the company’s email marketing service account.
Scope of the Exposure
According to HungerRush, the attacker accessed limited customer contact information, including:
- Names
- Email addresses
- Mailing addresses
- Phone numbers
The company emphasized that sensitive data was not exposed, including:
- Passwords
- Dates of birth
- Social Security numbers
- Payment card information
Additionally, the company stated that credit card data is not stored in HungerRush systems, further reducing the risk of financial exposure.
Potential Risk for Customers
Although sensitive financial data was reportedly not compromised, affected users should remain cautious.
Potential risks include:
- Phishing attacks using leaked contact information
- SMS scams targeting known restaurant customers
- Social engineering using restaurant order history
Users should remain alert for suspicious emails or messages referencing restaurant orders.
Security Lessons from the Incident
This event highlights several important cybersecurity lessons:
1. Third-Party Vendor Risk
Even if core systems remain secure, compromised vendor credentials can expose internal systems.
2. Email Infrastructure Abuse
Access to legitimate email services allows attackers to bypass common spam protections.
3. Data Exposure Amplifies Extortion
Attackers increasingly target both companies and customers to increase pressure during extortion attempts.
4. Infostealer Malware Remains a Major Threat
Credential theft from employee devices continues to be a common initial access vector in enterprise breaches.
Conclusion
The HungerRush extortion campaign demonstrates how attackers increasingly leverage legitimate email infrastructure and vendor credentials to conduct high-impact extortion operations.
While HungerRush reports that sensitive financial information was not compromised, the incident illustrates the growing risks associated with third-party integrations, marketing platforms, and credential-based attacks.
Organizations using large-scale customer databases must ensure strict controls around:
- Vendor access management
- Email platform authentication
- Credential monitoring
- Incident response readiness
As cybercriminals continue to evolve their tactics, attacks that target both businesses and end-users simultaneously are likely to become more common.
