Woflow: One SaaS Vendor Breach Exposes Walmart, DoorDash, Uber, and Deliveroo 326GB Archive Published by ShinyHunters

• .What: ShinyHunters breached Woflow, an AI merchant data platform that serves as the data infrastructure layer for major delivery and retail platforms, exfiltrating a 326GB compressed archive after the company refused ransom demands.
• .Who: Woflow Inc. (San Francisco, CA; founded 2017; CEO Will Bewley, CTO Jordan Nemrow; ~26 employees; $10.8M total funding). Clients affected: Walmart, DoorDash, Uber, and Deliveroo (acquired by DoorDash for $3.9B in October 2025). Consumers, merchants, and employees associated with these platforms are in the blast radius.
• .How: Assessed as OAuth token and API credential abuse targeting Woflow's deep SaaS integrations with client platforms. ShinyHunters leveraged stolen OAuth2 access/refresh tokens to bypass MFA and conduct API-level data exfiltration at scale - consistent with the group's documented playbook against SaaS supply chain targets.
• .Data: Claimed - full names, addresses, Social Security numbers, driver's license numbers, financial account information, credit card details (per class action complaint). Additionally: merchant onboarding records, transaction/order data, PII (names, emails), internal corporate documents, API tokens, and OAuth2 keys (per security researchers).
• .Actor: ShinyHunters (UNC6240 per Google Threat Intelligence Group). Part of the SLSH (Scattered Lapsus$ Hunters) ecosystem. Active since 2019. March 2026 confirmed campaign includes TELUS Digital (1PB), EU Commission (350GB claimed), Infinite Campus (11M students), Aura (903K records), and Woflow. A concurrent Crunchyroll breach (6.8M users) via a TELUS agent is assessed as likely SLSH ecosystem-affiliated but has disputed attribution.
• .Impact: 326GB archive published on dark web. Class action filed (Suhr v. Woflow Inc., N.D. Cal.). No breach notifications sent. No credit monitoring offered. SaaS supply chain compromise exposing four enterprise clients through a single vendor.

Woflow Inc. is a San Francisco-based AI merchant data platform founded in 2017 by Jordan Nemrow and Will Bewley.

The company raised $10.8 million across two funding rounds - a $3.5 million seed round from Craft Ventures and Base10 Partners, and a $7.3 million Series A from Base10 Partners, Construct Capital, and RiverPark Ventures.

In June 2023, Woflow acquired XtremeAI, a Seville-based document digitization startup, to expand its European operations and AI capabilities.

Woflow's core product is a merchant data platform that structures, generates, and maintains menu data, inventory information, merchant onboarding records, and operational data for digital commerce platforms.

When a restaurant syncs its point-of-sale system with a delivery app, Woflow's crawlers work behind the scenes - syncing POS data, menu items, inventory levels, and pricing in real time.

Woflow's clients include DoorDash, Walmart, Uber, and Deliveroo - platforms that collectively serve hundreds of millions of consumers globally.

Deliveroo, which was acquired by DoorDash for $3.9 billion in October 2025, used Woflow's APIs to onboard thousands of merchants per month, achieving 66% faster menu creation through the integration.

This means DoorDash's exposure to the Woflow breach is doubled: both directly as a named client and indirectly through its Deliveroo subsidiary.

On or before March 3, 2026, ShinyHunters compromised Woflow's systems. " ShinyHunters issued a "FINAL WARNING" on March 3, threatening to release the stolen data by March 5 unless Woflow met its demands.

The group claimed to have exfiltrated "several hundreds of millions of records" containing PII, transaction and order data, and internal corporate data.

Woflow did not comply. On or around March 6, 2026, ShinyHunters published a 326-gigabyte compressed archive on its Tor-based leak site - an archive that expands to significantly larger volumes of raw data.

The group explicitly named DoorDash, Deliveroo, Uber, and Walmart as affected clients, a deliberate tactic to maximize reputational pressure on Woflow and its enterprise partners.

As of March 31, 2026 - 28 days after the breach - Woflow has not issued a public statement. The company has not acknowledged the incident. No breach notification letters have been sent to affected individuals. No state attorney general filings have been made.

No credit monitoring or identity theft protection services have been offered.

ShinyHunters (UNC6240 per Google Threat Intelligence Group) is a financially motivated data extortion collective that has operated since 2019 as part of the broader SLSH (Scattered Lapsus$ Hunters) ecosystem.

The group uses a "pay or leak" model: breach a target, demand ransom, and publish the stolen data if the company refuses.

In March 2026 alone, ShinyHunters claimed or confirmed responsibility for breaches at TELUS Digital (1 petabyte stolen, $65 million ransom demanded), Crunchyroll (6.8 million users exposed via compromised TELUS support agent), Infinite Campus (11 million student records threatened), Aura (903,100 records exfiltrated via vishing), and Woflow.

The group has targeted over 100 organizations since September 2025, spanning education, financial services, healthcare, technology, retail, and energy sectors.

ShinyHunters has increasingly focused on SaaS supply chain attacks - compromising integration-rich vendors to gain downstream access to multiple enterprise environments.

The group's documented playbook includes OAuth token theft, API credential abuse, vishing for initial access, and exploitation of SaaS-to-SaaS trust relationships.

Key arrests have not dismantled operations: Sebastien Raoult received three years plus $5 million restitution (January 2024), Matthew D. Lane pleaded guilty to the PowerSchool hack (June 2025), four French affiliates were arrested in June 2025, and IntelBroker was arrested in France in February 2025. Core leadership remains operational.

Based on ShinyHunters' claims, security researcher analysis, and the class action complaint (Suhr v. Woflow Inc.), the following data types were compromised:

• .Full names - linked to addresses, email addresses, and financial details, enabling identity correlation and targeted fraud.
• .Residential addresses - exposed for consumers and employees associated with Woflow's services.
• .Social Security numbers - the most damaging data type. SSNs are permanent, irrevocable, and the primary identifier for credit applications, tax filings, and government benefits. Exposure triggers mandatory notification in all 50 states.
• .Driver's license numbers - state-issued identity documents that, combined with names and addresses, enable identity fraud, fraudulent license applications, and synthetic identity creation.
• .Financial account information - bank account numbers, routing numbers, and related financial data. Enables direct account takeover and fraudulent transactions.
• .Credit card account details - card numbers and associated data. Requires immediate card replacement and monitoring for unauthorized charges.
• .Merchant onboarding records - detailed operational data from merchant enrollment processes for DoorDash, Walmart, Uber, and Deliveroo. May include business owner PII, tax identification numbers, banking details for payment processing, and operational configurations.
• .Transaction and order data - records of transactions processed through Woflow's data infrastructure. Reveals purchasing patterns, business volumes, and potentially customer-merchant relationships.
• .Internal corporate documents - proprietary Woflow business information, strategic documents, and operational data.
• .API tokens and OAuth2 access/refresh keys - credentials enabling programmatic access to Woflow's client environments. If not immediately revoked, these tokens provide persistent backdoor access to downstream systems at DoorDash, Walmart, Uber, and Deliveroo - bypassing MFA and traditional login controls entirely.

The exposure of OAuth2 tokens is the most operationally dangerous element of this breach.

Unlike passwords that can be changed, OAuth tokens function as "durable keys" - they persist until explicitly revoked, bypass multi-factor authentication, and enable API-level access that appears as legitimate traffic.

If Woflow's client organizations have not conducted emergency token revocation and rotation across all Woflow integrations, ShinyHunters or secondary actors who purchased the archive may retain active access to downstream enterprise environments.

1. SaaS supply chain concentration risk. Woflow positioned itself as the data infrastructure layer for four of the world's largest delivery and retail platforms.

This created a single point of compromise: one breach at Woflow cascades across Walmart, DoorDash, Uber, and Deliveroo simultaneously.

Woflow's clients delegated critical data processing to a startup with approximately 26 employees and $10.8 million in total funding - without, evidently, sufficient contractual or technical controls to limit blast radius.

2. OAuth token hygiene failures. Security researchers assessed that ShinyHunters likely leveraged stolen OAuth2 access and refresh tokens to conduct API-level data exfiltration.

This indicates over-permissioned OAuth scopes (tokens granted broader access than necessary), long-lived tokens (tokens not configured to expire within hours or days), inherited permissions from privileged service accounts, and absence of sender-constrained tokens that bind to specific client certificates.

Properly scoped, time-limited, and constrained tokens would have limited the volume and breadth of data accessible through any single compromised credential.

3. Insufficient network monitoring and intrusion detection. " Exfiltrating 326 gigabytes of data generates substantial network traffic.

The absence of data loss prevention controls, egress monitoring, or anomaly detection allowed the full exfiltration to complete without triggering an alarm.

4. Inadequate data protection for sensitive PII.

" For a platform processing Social Security numbers, driver's license numbers, and financial account data on behalf of enterprise clients, this represents a fundamental failure to implement encryption at rest, field-level encryption for sensitive data types, access controls limiting which systems and users can query PII, and data classification policies that segregate high-sensitivity records from operational data.

5. Complete failure of incident response and disclosure. Twenty-eight days after ShinyHunters published the 326GB archive, Woflow has issued no public statement, sent no breach notification letters, filed no state attorney general notifications, and offered no credit monitoring.

" California law (Cal. Civ. " Twenty-eight days of silence - while stolen data sits on the dark web - is unreasonable on its face.

6. Third-party risk management failures by enterprise clients. Walmart, DoorDash, Uber, and Deliveroo each bear responsibility for their vendor risk management programs.

Entrusting merchant data, consumer PII, and API credentials to a 26-employee startup without rigorous security assessments, contractual breach notification requirements, data minimization mandates, and continuous monitoring of the third party's security posture represents a systemic failure of third-party risk governance.

Threat Actor:

• .ShinyHunters (UNC6240)
• .Part of SLSH ecosystem

Attack Vector:

• .Assessed as OAuth token and API credential abuse
• .Over-permissioned OAuth scopes with long-lived tokens

Exfiltration:

• .326 GB compressed archive published on Tor leak site
• .Initial claim: March 3, 2026
• .Full archive published: ~March 6, 2026

Downstream Platforms Affected:

• .Walmart, DoorDash, Uber, Deliveroo

Persistence Risk:

• .Exposed OAuth2 access/refresh tokens enable persistent API access until revoked

• .CCPA/CPRA (California) - Woflow is incorporated and headquartered in California. The breach exposed personal information as defined under Cal. Civ. Code 1798.140(v), including SSNs, driver's license numbers, and financial account data. CCPA provides a private right of action (1798.150) for breaches resulting from failure to maintain reasonable security, with statutory damages of $100-$750 per consumer per incident. CPRA allows the California Privacy Protection Agency to impose administrative fines of up to $7,500 per intentional violation. The class action already invokes Cal. Civ. Code 1798.80 et seq.

• .California Unfair Competition Law (Cal. Bus. & Prof. Code 17200) - The class action cites Woflow's privacy policy promise to "maintain organizational and technical processes and procedures in place to protect your personal information" as the basis for an unfair business practices claim. The gap between this promise and the breach outcome constitutes a potentially deceptive practice.

• .FTC Act Section 5 - Woflow's privacy policy representations about maintaining security measures, combined with the alleged failure to implement those measures, may constitute unfair or deceptive practices under Section 5 of the FTC Act (15 U.S.C. 45). The FTC has enforcement authority through consent decrees and multi-million dollar settlements.

• .State breach notification laws - SSN exposure triggers mandatory notification in all 50 states. Most states require notification within 30-60 days of discovery. As of March 31, 2026, Woflow has filed no state attorney general notifications - a violation that compounds daily.

• .GDPR (EU/EEA) - Deliveroo operates in the UK, France, Belgium, Ireland, and Italy. Woflow acquired XtremeAI (Seville, Spain) in June 2023, expanding its European operations. If merchant onboarding data, consumer records, or employee PII of EU/EEA residents are among the exfiltrated records - a near certainty given Deliveroo's European footprint - GDPR applies. Article 5(1)(f) (integrity and confidentiality), Article 32 (security of processing), Article 33 (72-hour DPA notification), and Article 34 (individual notification for high-risk breaches) are all implicated. Fines up to EUR 20 million or 4% of annual global turnover of the data controller. DoorDash reported $13.7 billion in revenue for FY2025, placing theoretical maximum GDPR fine exposure at approximately $549 million.

• .UK GDPR / DPA 2018 - Deliveroo is headquartered in London and serves millions of UK consumers. The ICO has enforcement authority with fines up to GBP 17.5 million or 4% of global turnover. DoorDash's acquisition of Deliveroo means DoorDash inherits regulatory exposure for Deliveroo's data protection obligations in the UK.

• .UAE PDPL (Federal Decree-Law No. 45/2021) - Deliveroo operates in the UAE. If UAE consumer or merchant data was processed through Woflow's platform, fines up to AED 10 million apply.

• .Gramm-Leach-Bliley Act - If Woflow processes financial account information on behalf of entities classified as financial institutions under GLBA, the Safeguards Rule requires a comprehensive information security program. The alleged exposure of financial account details and credit card information may trigger GLBA enforcement.

• .PCI DSS - The exposure of credit card account details indicates a likely PCI DSS compliance failure. Organizations storing, processing, or transmitting cardholder data must comply with PCI DSS requirements for encryption, access controls, monitoring, and incident response. Non-compliance can result in fines of $5,000-$100,000 per month from payment card brands and potential loss of card processing privileges.

1. Implement short-lived, sender-constrained OAuth tokens with least-privilege scopes.

Every API integration between Woflow and its enterprise clients should use tokens that expire within hours (not days or weeks), are bound to specific client certificates (sender-constrained), and are scoped to the minimum data access required for each operation.

This directly mitigates the OAuth token theft that enabled API-level exfiltration at scale.

2. Deploy data loss prevention and egress monitoring with volume-based alerts. Exfiltrating 326 gigabytes of data generates network traffic that DLP systems and egress monitoring should detect immediately.

Thresholds should trigger automated alerts when data transfer volumes exceed baseline patterns - particularly for API endpoints serving PII and merchant data.

3. Encrypt sensitive PII at the field level with separate key management. Social Security numbers, driver's license numbers, and financial account data should be encrypted at the field level using keys managed separately from application credentials.

Even if an attacker exfiltrates the database, field-level encryption renders the most sensitive data types unreadable without the corresponding decryption keys.

4. Enforce contractual third-party risk requirements including continuous monitoring.

Walmart, DoorDash, Uber, and Deliveroo should require all SaaS vendors handling PII to undergo annual SOC 2 Type II audits, maintain breach notification SLAs (measured in hours, not weeks), submit to continuous security monitoring, and comply with data minimization requirements that prevent vendors from accumulating data beyond operational necessity.

5. Conduct immediate token revocation and rotation across all Woflow integrations. Every organization that has integrated with Woflow's APIs must immediately revoke all existing OAuth tokens, API keys, and service account credentials associated with Woflow.

New tokens should be issued with reduced scopes and shortened lifetimes. Audit logs should be reviewed for any API activity using Woflow-associated credentials since March 3, 2026.

6. Implement incident response and breach notification procedures that comply with legal requirements.

Woflow's 28-day silence violates California breach notification law, likely violates GDPR's 72-hour notification requirement, and deprives affected individuals of the ability to protect themselves.

Companies processing PII must maintain documented incident response plans with predetermined notification templates, legal counsel engagement procedures, and credit monitoring vendor agreements that can be activated within 72 hours of breach discovery.

Cybernews, SC Media, Security Boulevard, BrinzTech, SecurityBrief, AppOmni, ClassAction.org, Class Action U, Mason LLP (Mason & Perry), Migliaccio & Rathod LLP, Justia (Suhr v. Woflow Inc.