EatStreet 2019 Data Breach
ObscureIQ Breach Intelligence
Moderate SeverityWebsite / service breach
EatStreet Food Ordering Service Breach (2019): 6.4 Million Customer Records Including Full Credit Card Data Exposed
Online food ordering and delivery platform.
Verified by ObscureIQ Intelligence
54/100Breach Risk Index
18Data Value
25Market Recency
419dSince Breach
Breach Intelligence Summary
Entity: EatStreet · Actor: GnosticPlayers · Sources: 7 references
Attack: Misconfiguration
Profile: Platform · Online food ordering and delivery · Marketplace + logistics network · USA
Timeline: Breach (2019-05-03) · Indexed (Mar 04, 2025) · Year (2019)
Exposure: 6.4M records · 9 fields: Credit Card, Date of Birth, Email Address, Full Name, Gender, Password, Phone Number, Physical Address, Social Media Profile
Status: Confirmed
Executive Summary
EatStreet, a U.S.-based online food ordering and delivery marketplace, suffered a data breach beginning May 3, 2019 when an unauthorized third party gained access to EatStreet's database. EatStreet detected the intrusion on May 17, 2019, terminated the unauthorized access, and engaged an external information-technology forensics firm to investigate. The breach has been attributed to the GnosticPlayers hacker group, which was responsible for a series of high-profile breaches at consumer platforms during the 2019 period. EatStreet publicly disclosed the breach on June 14, 2019 and notified affected customers, restaurant partners, and delivery partners. The breach was redistributed and indexed by DataBreach.com on March 4, 2025. The breach affected approximately 6.4 million records based on records indexed by Have I Been Pwned and DataBreach.com, spanning three distinct affected populations. For consumer customers, compromised fields included names, email addresses, phone numbers, physical addresses, dates of birth, gender, social media profile linkages, and passwords stored as bcrypt hashes. For most affected customers, payment card data exposure was limited to partial credit card information; however, for a limited number of customers who used the EatStreet platform during the intrusion window, the attacker accessed full payment card information including credit card numbers, expiration dates, card verification codes (CVV), and billing addresses. For restaurant partners and delivery partners, compromised fields included business and individual names, addresses, phone numbers, email addresses, bank account numbers, and routing numbers used for marketplace payouts. For affected individuals, the practical risk profile varies substantially across the three affected populations and is most severe for the limited subset of customers whose full payment card data was exposed and for restaurant and delivery partners whose bank account and routing numbers were exposed. Affected customers in the full-card-data subset face direct payment card fraud risk and should monitor card statements, request replacement cards, and dispute any unauthorized charges. Restaurant and delivery partners face direct bank account fraud risk because exposed bank account and routing numbers can be used to initiate ACH withdrawals or to support synthetic identity fraud, and these partners should consider establishing bank account fraud alerts or, in higher-risk cases, opening replacement accounts. The combination of name, date of birth, email, phone, and physical address for the broader customer population supports identity-fraud and credential-stuffing attacks against other accounts where the EatStreet password was reused. All affected individuals should change reused passwords on other accounts, enable two-factor authentication where available, and monitor financial accounts and credit reports for unauthorized activity.
ObscureIQ assessment: Exposure enables phishing, order fraud, delivery impersonation, and household targeting. Address and order patterns can also reveal routines and consumption habits.
Breach Impact
The institutional impact on EatStreet has been moderate given the marketplace's three-sided affected population and the inclusion of full credit card and bank account data for affected subsets. EatStreet incurred costs associated with the external forensics investigation, breach notification across U.S. state regulatory frameworks, system security enhancements, and credit card payment processor coordination. The company filed breach notifications with multiple U.S. state attorneys general including California, where the notification letters are publicly available. Civil litigation has been limited based on publicly available information. The reputational impact concentrated within the food-delivery marketplace sector and across EatStreet's restaurant and delivery partner network. The case has been cited in cybersecurity coverage as part of the broader GnosticPlayers attack series targeting consumer-platform databases during the 2019 period.
About EatStreet
EatStreet was a U.S.-based online food ordering and delivery marketplace, headquartered in Madison, Wisconsin. The platform operated as a multi-sided marketplace connecting consumers with restaurants and independent delivery partners across U.S. metropolitan markets, with online and mobile ordering supported by EatStreet's own delivery network and through restaurant-managed delivery. As an account-based marketplace operator, EatStreet maintained substantial data across three distinct populations: consumer customers including identity, contact information, ordering history, and payment card data; restaurant partners including business information, addresses, and bank account and routing data used for marketplace payouts; and delivery partners including identity, contact information, and bank account information used for delivery-fee disbursement.
Why They Hold Your Data
Food-ordering platforms collect customer identity, phone numbers, addresses, payment-adjacent data, order history, and restaurant interactions across marketplace and delivery workflows.
Recent Developments
EatStreet has continued to operate following the 2019 breach. Following the breach disclosure on June 14, 2019, EatStreet announced multiple security enhancements including reinforced multi-factor authentication, credential-key rotation, and review and update of coding practices. EatStreet engaged an external information-technology forensics firm to investigate the incident and audit its systems for additional unauthorized access. EatStreet sent breach notification letters to affected customers, restaurant partners, and delivery partners and notified credit card payment processors. The breach was redistributed and indexed by DataBreach.com on March 4, 2025 as part of the broader 2024 to 2025 historical-breach indexing wave. EatStreet has continued to operate the food ordering platform without public disclosure of subsequent security incidents.
Data Points Exposed
9 verified field types
Credit Card Critical
Date of Birth High
Email Address
Full Name High
Gender
Password Critical
Phone Number
Physical Address High
Social Media Profile
Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.
Exploitation & Downstream Threats
Threat Activity:Critical
Primary downstream threats:
- Credential stuffing against reused passwords across other platforms
- Financial fraud using exposed financial profile data
- Identity verification bypass using name + date of birth combination
- SIM swap attacks where phone numbers are present
- Targeted phishing campaigns using exposed email addresses
- Doxxing risk from physical address exposure
- Social media account targeting and impersonation
Threat vectors:
- Card-present & card-not-present fraud
- Card identification & social engineering
- Identity verification bypass
- Phishing, credential stuffing & account takeover
- Name-based social engineering
- Profile enrichment
- Credential stuffing & account takeover
- SIM swapping, vishing & SMS phishing
- Physical stalking, mail fraud & identity verification
- Account impersonation & social graph harvesting
Threat Actor: GnosticPlayers
GnosticPlayers
Misconfiguration
Attribution and method are based on available breach intelligence. Reported attack vector: Misconfiguration.
Recommended Actions
If you believe your information may be included:
Change Reused Passwords
Update this account and anywhere you reused the password; use a manager.
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
Frequently Asked Questions
What happened in the EatStreet breach?▾
EatStreet, a U.S.-based online food ordering and delivery marketplace, suffered a data breach beginning May 3, 2019 when an unauthorized third party gained access to EatStreet's database. EatStreet detected the intrusion on May 17, 2019, terminated the unauthorized access, and engaged an external…
What data was exposed?▾
Verified fields include Credit Card, Date of Birth, Email Address, Full Name, Gender, Password, Phone Number, Physical Address, Social Media Profile.
What should I do if I was affected?▾
Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.
Sources & References
Every claim on this page is traceable. This breach draws on:
Breach Index
Breach Index
Cross-source
9ghz
Cross-source
BreachForums_Official_Index
Cross-source
LeakCheck.io
Cross-source
leakfind
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Protect Yourself
Check If You're Affected
Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.
Get Free Breach Alerts
Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.
High-Risk? Get an Exposure Audit
Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.
Request Consultation