Imagine receiving an email threatening to expose your favorite pizza joint’s customer data unless they pay up. Sounds like a plot twist in a cyber thriller, right? But this isn’t fiction—it’s happening right now. Customers of restaurants using HungerRush, a popular point-of-sale (POS) platform, have been on the receiving end of chilling extortion emails from a threat actor demanding action from the company. And this is the part most people miss: the attacker claims to have access to millions of customer records, including names, emails, passwords, addresses, phone numbers, dates of birth, and even credit card information. Yikes.
Here’s the full scoop: HungerRush is a tech powerhouse in the restaurant industry, offering POS systems, online ordering, delivery management, and payment processing solutions to over 16,000 eateries, including big names like Sbarro, Jet’s Pizza, and Hungry Howie’s. But here’s where it gets controversial: the attacker alleges that HungerRush has been ignoring their demands, putting sensitive data at risk. The first email, sent from an address mimicking HungerRush’s support team, bluntly warns, ‘You cannot ignore all my requests and expect me not to take malicious actions.’ A follow-up email, sent just hours later, doubles down on the threat, claiming the attacker has already infiltrated the system.
But how did this happen? Cybersecurity experts point to a potential infostealer infection on a HungerRush employee’s device as early as October 2025, which may have compromised corporate credentials for platforms like NetSuite, Stripe, and Salesforce. While it’s unclear if this breach is directly linked to the extortion emails, the timing is suspiciously coincidental. BleepingComputer’s analysis reveals the emails were sent via Twilio SendGrid, a legitimate service HungerRush uses for transactional emails, adding a layer of authenticity that could trick unsuspecting recipients.
Here’s the kicker: Despite the alarming claims, HungerRush has only confirmed they’re ‘actively investigating’ the incident with law enforcement. Meanwhile, customers are left wondering if their data is safe. Should they be worried about phishing scams or identity theft? Absolutely. If you’ve ever ordered from a HungerRush-powered restaurant, now’s the time to monitor your accounts and change passwords—just in case.
But here’s the real question: Is this a wake-up call for the entire restaurant tech industry? With cybercriminals increasingly targeting POS systems, how prepared are these companies to protect your data? Let’s spark a conversation. Do you think HungerRush could have done more to prevent this? Or is this an unavoidable risk in today’s digital landscape? Drop your thoughts in the comments—we’re all ears.
