7-Eleven Confirms Data Breach After ShinyHunters Ransom Demand
7-Eleven has confirmed a data breach after the ShinyHunters threat actor claimed to have stolen over 600,000 Salesforce records and demanded a ransom.
7-Eleven, the world's largest convenience store chain in the world, has confirmed suffering a data breach after the notorious ShinyHunters hacker group claimed to have stolen information from its systems. The company began sending out security incident notices revealing that an intrusion into 7-Eleven systems used to store franchisee documents was detected on April 8. According to a notification submitted to the Maine Attorney General's Office, unspecified personal information has been compromised. The exposed information was provided to the company during franchise applications. 7-Eleven has not disclosed the total number of affected individuals, but said only two Maine residents were impacted, suggesting that the impact of the incident may be limited, at least in terms of personal information compromise.
ShinyHunters listed 7-Eleven on its leak website on April 17, claiming to have stolen more than 600,000 Salesforce records, including personal information and corporate data. The cybercriminals threatened to leak the data unless a ransom was paid by April 21. They later offered to sell the stolen data for $250,000 on a popular hacker forum. ShinyHunters has been targeting the Salesforce instances of major organizations since mid-2025, stealing millions of data records. The intrusions resulted from phishing, abuse of third-party integrations, or misconfigurations, rather than vulnerabilities in Salesforce products or systems.
The hacker group and affiliated threat actors recently took credit for attacks on Instructure, Vimeo, Wynn Resorts, Vercel, and Medtronic. The 7-Eleven breach underscores the risk of third-party platform compromises and the ongoing threat from extortion-focused cybercriminal groups. The incident highlights how attackers are increasingly targeting cloud-based customer relationship management (CRM) platforms like Salesforce, which often contain vast amounts of sensitive data. The breach also demonstrates the persistent threat posed by ransomware and extortion groups that steal data and threaten to leak it if ransoms are not paid.
7-Eleven has not provided details on the specific security measures it is implementing to prevent future incidents, but the company is likely reviewing its third-party access controls and monitoring for any misuse of the stolen data. The company has advised affected individuals to remain vigilant for signs of identity theft or fraud. The breach serves as a reminder for organizations to regularly audit their third-party integrations and ensure that access to sensitive data is properly restricted.
The incident also highlights the importance of having a robust incident response plan in place to quickly detect and respond to data breaches. Organizations should also consider implementing multi-factor authentication and monitoring for unusual activity on their cloud-based platforms. The 7-Eleven breach is a significant event that underscores the need for continued vigilance in the face of evolving cyber threats.
Salesforce confirmed the campaign is not due to a platform flaw but to customer misconfigurations of Experience Cloud guest user profiles, and urged customers to audit permissions and enforce least privilege access. ShinyHunters claims to have breached approximately 400 websites and 100 high-profile companies, using a customized version of Mandiant's Aura Inspector tool to scan the /s/sfsites/aura API endpoint and extract CRM objects for follow-on social engineering and vishing campaigns.