A threat actor is attempting to extort HungerRush, a restaurant technology provider, by sending emails to the company's restaurant customers. The emails claim the attacker has access to millions of customer records containing sensitive personal and financial data. HungerRush has confirmed a security incident and is investigating, though it disputes a link to a previously reported infostealer infection on an employee's device. The main topics covered are the extortion attempt, the potential data breach, and the company's response.
Update: Added HungerRush statement below.
Customers of restaurants using the HungerRush point-of-sale (POS) platform say they received emails from a threat actor attempting to extort the company, warning that restaurant and customer data could be exposed if HungerRush fails to respond.
HungerRush is a restaurant technology provider that offers point-of-sale (POS), online ordering, delivery management, and payment processing software to help restaurants manage orders, customer information, and business operations.
The company claims to work with over 16,000 restaurants, including Sbarro, Jet's Pizza, Fajita Pete's, Hungry Howie's, and many more.
Extortion emails sent to restaurant patrons
The attacker started sending the emails early Wednesday morning, with multiple recipients sharing samples with BleepingComputer.
The first email was sent from support@hungerrush.com, prompting HungerRush to stop ignoring their extortion emails or it would put customer data at risk.
"You cannot ignore all my requests and expect me not to take malicious actions. You still have time," reads the email.
"Every restaurant and customer of said restaurants' data which is in the millions is in jeopardy here and I can't even get a response back. Not to worry, there's still time left."
A second email, sent three hours later from "2019@hungerrush.com," escalates the threat, claiming that the attacker has access to data records for millions of customers that contain names, emails, passwords, addresses, phone numbers, dates of birth, and credit card information.
BleepingComputer's analysis of the email headers shows they were delivered using Twilio SendGrid, which customers have told BleepingComputer was previously used to send HungerRush restaurant receipts.
The emails were sent from o10.e.hungerrush.com (159.183.129.119), which resolves to infrastructure operated by Twilio SendGrid, a platform commonly used by companies to send transactional and marketing emails.
The email headers also confirm that the messages passed SPF, DKIM, and DMARC authentication checks for the hungerrush.com domain, as the company's SPF record, shown below, authorizes SendGrid to send emails on their behalf.
v=spf1 include:spf.protection.outlook.com include:_spf.salesforce.com include:mail.zendesk.com include:_spf.psm.knowbe4.com include:sendgrid.net include:4750273.spf01.hubspotemail.net -all
Numerous people on Reddit have reported receiving the emails, stating that past digital receipts from restaurants showed they used HungerRush's ordering or POS systems.
Alon Gal, co-founder and CTO of Hudson Rock, posted on LinkedIn that infostealer logs indicate a HungerRush employee's device was allegedly infected with an infostealer in October 2025, leading to the compromise of credentials.
According to Gal, the malware stole numerous corporate credentials, including those for the company's NetSuite, QuickBooks-related services, Stripe dashboards, Bill.com vendor payment systems, Visa Online commercial services, and Salesforce environments.
It is unclear if these stolen credentials are linked to the claimed breach at HungerRush.
For the time being, customers of restaurants using the HungerRush POS system should be on alert for potential phishing emails and SMS texts that abuse the potentially stolen information.
HungerRush confirms breach
HungerRush confirmed to BleepingComputer that they are aware of the incident and have notified law enforcement.
"We are aware of the situation and are actively investigating in coordination with the appropriate authorities," HungerRush told BleepingComputer.
"Our teams are working quickly to understand the scope, address the issue, and implement any necessary remediation. Protecting our clients and their customers' data is a top priority, and we are treating this matter with the utmost urgency."
In a later update, the company says that the incident is not linked to the infostealer infection seen by Alon Gal. Instead, HungerRush says the threat actor used a third-party vendor's compromised credentials to breach its email marketing service account.
This allowed the threat actor to gain access to customer contact information, which was used to send the unauthorized emails.
"As a result, certain customer contact information (including names, email addresses, mailing addresses, and phone numbers) was accessed and used to send unauthorized email messages to certain merchants and consumers," HungerRush told BleepingComputer in an updated statement.
However, HungerRush disputes the threat actor's claims, stating that no sensitive personal or financial information, such as passwords, dates of birth, Social Security numbers, or payment card information, was exposed in the breach.
HungerRush also noted that credit card data is not stored within its systems.
Furthermore, the company says there is no evidence that any other systems were compromised, with the breach limited to the email marketing service.
"As a precautionary measure, HungerRush disabled access to the affected email service to prevent additional unauthorized messages from being sent while the investigation continues," the company said.
Red Report 2026: Why Ransomware Encryption Dropped 38%
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
Meridiano
