Customers of restaurants using the HungerRush point-of-sale (POS) platform say they received emails from a threat actor attempting to extort the company, warning that restaurant and customer data could be exposed if HungerRush fails to respond.

HungerRush is a restaurant technology provider that offers point-of-sale (POS), online ordering, delivery management, and payment processing software to help restaurants manage orders, customer information, and business operations.

The company claims to work with over 16,000 restaurants, including Sbarro, Jet's Pizza, Fajita Pete's, Hungry Howie's, and many more.

Extortion emails sent to restaurant patrons

The attacker started sending the emails early Wednesday morning, with multiple recipients sharing samples with BleepingComputer.

The first email was sent from [email protected], prompting HungerRush to stop ignoring their extortion emails or it would put customer data at risk.

"You cannot ignore all my requests and expect me not to take malicious actions. You still have time," reads the email.

"Every restaurant and customer of said restaurants' data which is in the millions is in jeopardy here and I can't even get a response back. Not to worry, there's still time left."

A second email, sent three hours later from "[email protected]," escalates the threat, claiming that the attacker has access to data records for millions of customers that contain names, emails, passwords, addresses, phone numbers, dates of birth, and credit card information. 

BleepingComputer's analysis of the email headers shows they were delivered using Twilio SendGrid, which customers have told BleepingComputer was previously used to send HungerRush restaurant receipts.

The emails were sent from o10.e.hungerrush.com (159.183.129.119), which resolves to infrastructure operated by Twilio SendGrid, a platform commonly used by companies to send transactional and marketing emails.

The email headers also confirm that the messages passed SPF, DKIM, and DMARC authentication checks for the hungerrush.com domain, as the company's SPF record, shown below, authorizes SendGrid to send emails on their behalf.

v=spf1 include:spf.protection.outlook.com include:_spf.salesforce.com include:mail.zendesk.com include:_spf.psm.knowbe4.com include:sendgrid.net include:4750273.spf01.hubspotemail.net -all

Numerous people on Reddit have reported receiving the emails, stating that past digital receipts from restaurants showed they used HungerRush's ordering or POS systems.

Alon Gal, co-founder and CTO of Hudson Rock, posted on LinkedIn that infostealer logs indicate a HungerRush employee's device was allegedly infected with an infostealer in October 2025, leading to the compromise of credentials.

According to Gal, the malware stole numerous corporate credentials, including those for the company's NetSuite, QuickBooks-related services, Stripe dashboards, Bill.com vendor payment systems, Visa Online commercial services, and Salesforce environments.

It is unclear if these stolen credentials are linked to the claimed breach at HungerRush.

BleepingComputer contacted HungerRush about the incident and asked whether the emails indicate a confirmed breach or unauthorized access to its systems.

For the time being, customers of restaurants using the HungerRush POS system should be on alert for potential phishing emails and SMS texts that abuse the potentially stolen information.