EatStreet, a U.S.-based online food ordering and delivery marketplace, suffered a data breach beginning May 3, 2019 when an unauthorized third party gained access to EatStreet's database. EatStreet detected the intrusion on May 17, 2019, terminated the unauthorized access, and engaged an external information-technology forensics firm to investigate. The breach has been attributed to the GnosticPlayers hacker group, which was responsible for a series of high-profile breaches at consumer platforms during the 2019 period. EatStreet publicly disclosed the breach on June 14, 2019 and notified affected customers, restaurant partners, and delivery partners. The breach was redistributed and indexed by DataBreach.com on March 4, 2025.

The breach affected approximately 6.4 million records based on records indexed by Have I Been Pwned and DataBreach.com, spanning three distinct affected populations. For consumer customers, compromised fields included names, email addresses, phone numbers, physical addresses, dates of birth, gender, social media profile linkages, and passwords stored as bcrypt hashes. For most affected customers, payment card data exposure was limited to partial credit card information; however, for a limited number of customers who used the EatStreet platform during the intrusion window, the attacker accessed full payment card information including credit card numbers, expiration dates, card verification codes (CVV), and billing addresses. For restaurant partners and delivery partners, compromised fields included business and individual names, addresses, phone numbers, email addresses, bank account numbers, and routing numbers used for marketplace payouts.

For affected individuals, the practical risk profile varies substantially across the three affected populations and is most severe for the limited subset of customers whose full payment card data was exposed and for restaurant and delivery partners whose bank account and routing numbers were exposed. Affected customers in the full-card-data subset face direct payment card fraud risk and should monitor card statements, request replacement cards, and dispute any unauthorized charges. Restaurant and delivery partners face direct bank account fraud risk because exposed bank account and routing numbers can be used to initiate ACH withdrawals or to support synthetic identity fraud, and these partners should consider establishing bank account fraud alerts or, in higher-risk cases, opening replacement accounts. The combination of name, date of birth, email, phone, and physical address for the broader customer population supports identity-fraud and credential-stuffing attacks against other accounts where the EatStreet password was reused. All affected individuals should change reused passwords on other accounts, enable two-factor authentication where available, and monitor financial accounts and credit reports for unauthorized activity.

Food-ordering platforms collect customer identity, phone numbers, addresses, payment-adjacent data, order history, and restaurant interactions across marketplace and delivery workflows.

EatStreet has continued to operate following the 2019 breach. Following the breach disclosure on June 14, 2019, EatStreet announced multiple security enhancements including reinforced multi-factor authentication, credential-key rotation, and review and update of coding practices. EatStreet engaged an external information-technology forensics firm to investigate the incident and audit its systems for additional unauthorized access. EatStreet sent breach notification letters to affected customers, restaurant partners, and delivery partners and notified credit card payment processors. The breach was redistributed and indexed by DataBreach.com on March 4, 2025 as part of the broader 2024 to 2025 historical-breach indexing wave. EatStreet has continued to operate the food ordering platform without public disclosure of subsequent security incidents.