On 3rd May 2019, online food ordering platform EatStreet suffered a significant data breach affecting over 6 million users across the United States. The breach, carried out by hacker GnosticPlays, exposed sensitive customer information including names, email addresses, phone numbers, billing addresses, and payment card details—complete card numbers and CVV codes. This security incident raised serious questions about data protection practices in the food delivery industry and left millions of customers vulnerable to identity theft and financial fraud.
This guide provides everything you need to know about the EatStreet data breach, from understanding what happened to taking concrete steps to protect yourself. We’ve structured this resource to help you quickly assess your risk, take immediate protective action, and understand the broader implications for digital security.
Table of Contents
Executive Summary: What You Need to Know Immediately
The EatStreet data breach represents one of the more serious security incidents in the food delivery industry, particularly because it exposed CVV codes—sensitive information that payment processors explicitly prohibit companies from storing after transaction authorisation.
Key Facts at a Glance:
• Breach Date: 3rd May 2019
• Discovery Date: 17th May 2019 (14-day detection gap)
• Affected Users: 6+ million customers nationwide
• Compromised Data: Names, addresses, phone numbers, emails, credit card numbers, CVV codes
• Company Response: System security enhancement, third-party investigation, customer notifications, complimentary credit monitoring services
If you used EatStreet before June 2019, you should immediately change your password, monitor your financial accounts, and review your credit reports for suspicious activity.
The EatStreet Data Breach: Complete Timeline
Understanding the sequence of events helps illuminate how this breach unfolded and why the response timeline matters. Data breaches typically follow a pattern of intrusion, exploitation, detection, and disclosure—but the gaps between these stages can significantly impact the damage caused.
3rd May 2019: Initial Breach Occurs
Hacker GnosticPlays gained unauthorised access to EatStreet’s network infrastructure. Whilst the company hasn’t publicly disclosed the exact attack vector, security experts speculate it involved exploiting a vulnerability in EatStreet’s systems. Common breach methods include phishing attacks targeting employees, exploiting unpatched software vulnerabilities, or using stolen credentials from previous breaches at other companies.
17th May 2019: EatStreet Detects the Intrusion
Nearly two weeks after the breach began, EatStreet’s security team detected suspicious activity. This 14-day detection gap represents a significant concern—during this period, hackers had unrestricted access to customer databases. Industry best practices recommend breach detection within 24-48 hours to minimise exposure. Upon discovery, the company immediately terminated the hacker’s access and began forensic investigation with third-party cybersecurity experts.
June 2019: Public Disclosure and Customer Notifications
Following their internal investigation, EatStreet began issuing data breach notification emails to affected customers in early June. Media outlets including TechCrunch and BleepingComputer reported on the incident, bringing it to broader public attention. EatStreet announced it would provide complimentary credit monitoring and identity protection services to affected customers for one year.
In the months following disclosure, multiple class-action lawsuits were filed against EatStreet, alleging inadequate data security measures and delayed breach notification. The company continued implementing enhanced security protocols, including strengthened encryption and improved intrusion detection systems.
Was Your Data Compromised? How to Check
Determining whether your information was exposed requires understanding what data the breach affected and who received notifications. If you created an EatStreet account or placed orders between January 2019 and May 2019, your data may have been compromised.
EatStreet sent email notifications to affected users in June 2019. However, the absence of notification doesn’t guarantee safety—email filters may have caught the message. If you’re uncertain, contact EatStreet customer service directly using contact information on their official website. You can also verify whether your email appears in known breaches by visiting Have I Been Pwned (haveibeenpwned.com).
Compromised Data Types
The breach exposed different categories of information depending on your account activity.
For Individual Customers:
Personal Identifiers: Full names, home addresses, phone numbers, email addresses
Financial Information (Limited Subset): Complete credit/debit card numbers (16 digits), CVV codes (3 digits), card expiration dates, cardholder names
Important clarification: Not all 6 million users had payment card information compromised. The company stated only a “limited number” of customers had financial data exposed, though exact figures weren’t disclosed.
For Restaurant and Delivery Partners:
The breach also affected business accounts, exposing business names, addresses, contact details, bank account numbers, routing numbers, and order histories.
Immediate Actions: Your Data Protection Checklist
If you believe your data was compromised, follow this prioritised action plan. The exposure of complete payment card information, including CVV codes, makes this breach particularly serious—CVV codes should never be stored after transaction authorisation.
Priority 1: Complete Today
Change Your EatStreet Password
Create a unique, strong password containing at least 12 characters with mixed uppercase, lowercase, numbers, and symbols. Avoid dictionary words or personal information. Consider a passphrase approach: combine unrelated words with numbers and symbols, like “Purple!Train47&Mango.”
Update Any Reused Passwords
If you used your EatStreet password on other accounts—email, banking, social media, shopping sites—change those immediately. Hackers routinely test stolen credentials across multiple platforms through “credential stuffing” attacks. Your email account is particularly critical, as it provides password reset access to virtually all other accounts.
Check Your Payment Card Statements
Review the past three months of transactions on any card you used with EatStreet. Look for unfamiliar merchant names, small “test” charges (£0.40-£1.50), charges from locations you haven’t visited, or unauthorised subscription services. Report suspicious transactions to your card issuer within 24 hours.
Priority 2: This Week
Place a Fraud Alert on Your Credit Reports
Contact one of the three major credit bureaux (Experian, Equifax, TransUnion) to place a fraud alert. This flags your account and requires lenders to verify your identity before extending credit. Call or visit any bureau’s website—they’re legally required to notify the others. The initial alert lasts 90 days and is completely free.
Review Your Full Credit Reports
Access free credit reports from AnnualCreditReport.com (US) or contact credit bureaux directly (UK). Look for new accounts you didn’t open, unauthorised credit enquiries, address changes you didn’t make, or unusual payment histories. File disputes immediately if you find suspicious entries.
Enrol in EatStreet’s Credit Monitoring Service
If you received a breach notification, take advantage of EatStreet’s complimentary credit monitoring. Whilst this doesn’t prevent fraud, it provides early detection alerts for new accounts or credit enquiries in your name.
Priority 3: Ongoing Protection
Monitor for Phishing Attempts
Expect increased phishing emails claiming to be from EatStreet, your bank, credit bureaux, or law firms. Red flags include requests to “verify” information, links to unofficial domains, urgent language creating panic, and requests for full card numbers or passwords. When in doubt, visit official websites directly by typing URLs yourself.
Consider a Credit Freeze
For maximum protection, place a credit freeze with all three credit bureaux. This prevents anyone—including you—from accessing your credit report without lifting the freeze using a PIN. Best for users who don’t plan to apply for credit soon or anyone who had payment card data compromised. This service has been free in all US states since 2018.
Understanding the Breach: How It Happened
Whilst EatStreet hasn’t disclosed specific technical details, understanding common attack vectors helps explain typical vulnerabilities in food delivery platforms.
Data breaches rarely result from a single failure. They typically exploit multiple weaknesses in security infrastructure, company policies, and human behaviour.
Common Data Breach Attack Vectors
Hackers exploit software vulnerabilities in outdated systems, use sophisticated phishing campaigns targeting employees with system access, obtain stolen credentials from previous breaches at other companies, or exploit weaknesses in third-party vendors. Food delivery platforms use complex technology stacks with multiple integrations—payment processors, restaurant management systems, mapping services—and each represents a potential vulnerability.
The CVV Storage Violation
One particularly concerning aspect was the exposure of CVV codes. Payment Card Industry Data Security Standards (PCI-DSS) explicitly prohibit storing CVV codes after transaction authorisation. These three-digit codes exist solely to verify card possession during transactions and should never be retained.
The presence of CVV codes in stolen data reveals serious compliance failures in EatStreet’s payment processing systems. Properly configured payment systems tokenise card data and never store complete card numbers with CVV codes together.
How the EatStreet Breach Compares to Other Food Delivery Incidents
The EatStreet breach wasn’t isolated in the food delivery sector. Understanding comparisons provides important context about industry-wide security challenges.
DoorDash (September 2019): Just four months later, DoorDash disclosed a breach affecting 4.9 million users with similar compromised data types. Additionally, 100,000 delivery drivers had licence numbers exposed.
Zomato (May 2019): In the same month, Indian food delivery giant Zomato suffered a massive breach affecting 17 million users. Hackers stole user records and attempted to sell them on the dark web.
- Payment processing systems storing unnecessary sensitive data
- Third-party integration security weaknesses
- Insufficient access controls and monitoring
- Delayed breach detection (often weeks or months)
Common Vulnerabilities:
The EatStreet breach was mid-sized compared to Zomato but notable for CVV code exposure, which shouldn’t occur under any circumstances. This specific violation distinguishes it from comparable breaches and elevates fraud risk.
Legal and Business Implications
Data breaches carry significant legal and business consequences beyond immediate technical response. Following breaches, companies face legal obligations under various data protection laws, typically requiring notification within 30-60 days.
Consumer Rights and Legal Recourse
Affected customers are entitled to clear, timely notification about compromised data and company response steps. If you suffer actual financial losses—fraudulent charges, identity theft costs—you may pursue compensation through class-action lawsuits or individual legal action. However, proving damages without documented financial harm can be challenging.
Multiple class-action lawsuits were filed against EatStreet, alleging negligence in data security practices and inadequate breach response. Affected users may be eligible to join existing class actions—watch for legitimate legal notices through official sources.
The Reputational Cost
Beyond legal penalties, data breaches inflict severe reputational damage. Customer trust, once broken, is difficult to rebuild. Many users likely switched to competitors following the announcement. For food delivery platforms in competitive markets, reputational damage can prove more costly than direct breach response expenses.
Protecting Yourself from Future Data Breaches
Whilst you can’t control company security practices, you can significantly reduce personal risk through proactive digital security measures applicable to all online services.
Best Practices for Online Security
Use Unique Passwords: This single practice dramatically reduces breach impact. Managing dozens requires a password manager—software that securely stores and generates strong passwords. Reputable options include 1Password, Bitwarden, and Dashlane.
Enable Multi-Factor Authentication: MFA requires a second verification step beyond your password—typically a code sent to your phone. Even if hackers steal your password, they cannot access accounts without the second factor. Enable MFA on all accounts offering it, prioritising email, banking, and social media.
Keep Software Updated: Security patches address known vulnerabilities hackers exploit. Enable automatic updates for operating systems, browsers, and applications. Outdated software represents one of the most common entry points for attacks.
Monitor Financial Accounts Regularly: Review statements at least weekly. Enable real-time transaction notifications through mobile banking apps to catch unauthorised charges immediately.
Choosing Secure Online Services
When selecting food delivery platforms, research security practices and reputation. Look for companies offering multi-factor authentication, clear privacy policies, and good track records without major breaches.
Consider using virtual payment cards offered by many banks or services like PayPal instead of directly entering card details. These reduce payment information stored on platforms and provide superior security infrastructure.
Frequently Asked Questions
How do I know if I was affected?
EatStreet sent email notifications in June 2019. If you used EatStreet between January-May 2019 without receiving notification, contact customer service directly. Check haveibeenpwned.com to see if your email appears in breach records.
Will EatStreet refund me if I experienced fraud?
EatStreet isn’t directly responsible for unauthorised charges. Contact your card issuer immediately to dispute fraudulent transactions. Your liability is typically limited to £50/$50 if reported promptly.
Can I sue EatStreet for the data breach?
Multiple class-action lawsuits were filed. Affected users may join existing actions or pursue individual claims, though proving damages without documented losses can be challenging. Consult a solicitor specialising in data breach cases.
Is it safe to use EatStreet now?
EatStreet implemented enhanced security measures after 2019. However, all online services carry some risk. Consider using virtual payment cards or PayPal, enable multi-factor authentication, and use unique passwords.
How long should I monitor my accounts?
Continue monitoring for at least 12-24 months. Stolen data is sometimes held months before being used. Set up transaction alerts and check credit reports quarterly during this period.
Staying Vigilant in a Digital World
The EatStreet data breach serves as a reminder that digital convenience comes with inherent security risks. Understanding what happened, assessing your risk, and taking appropriate protective action will help you navigate this breach’s aftermath specifically.
More broadly, adopting strong digital security practices—unique passwords, multi-factor authentication, regular monitoring—significantly reduces vulnerability to future breaches across all online services you use. Data breaches will unfortunately continue occurring as long as valuable information exists digitally. By staying informed and implementing protective measures outlined in this guide, you can substantially reduce risk exposure and respond effectively when breaches affect services you use.