What Happened
HungerRush said that in the March 2, 2026 incident, attackers used compromised credentials from a third-party vendor to access its email marketing service, which let them send unauthorized emails to merchants and consumers. The company said the exposed data was limited to certain customer contact information—names, email addresses, mailing addresses, and phone numbers—and that it had found no evidence that passwords, dates of birth, Social Security numbers, payment card data, or other systems were compromised. HungerRush also said it does not store credit card data in its systems and disabled the affected email service while investigating.
