7-Eleven confirms data breach claimed by the ShinyHunters gang
7-Eleven confirmed that attackers accessed internal systems and stole customer data, with the ShinyHunters extortion group claiming responsibility and leaking a 9.4GB archive.
Convenience store giant 7-Eleven has confirmed a data breach that the ShinyHunters extortion group claimed responsibility for last month. In notifications sent to affected individuals on May 1 and filed in multiple U.S. states on Friday, the company disclosed that attackers gained access to some of its systems in early April and stole personal information from an undisclosed number of people.
7-Eleven, which operates over 86,000 stores globally including 13,000 in the U.S. and Canada, said the breach involved systems used to store franchisee documents. The company's 7Rewards and Speedy Rewards loyalty programs have more than 100 million members. 7-Eleven also operates Speedway, Stripes, Laredo Taco Company, and Raise the Roost Chicken and Biscuits locations.
ShinyHunters claimed the attack on April 17, alleging they stole over 600,000 records containing corporate data and personally identifiable information after breaching the company's Salesforce environment. Less than a week later, after 7-Eleven refused to pay a ransom, the group leaked a 9.4GB archive of documents on their dark web leak site. "The company failed to reach an agreement with us despite our incredible patience, all the chances and offers we made," the cybercriminals said.
7-Eleven said it immediately launched an investigation and notified law enforcement. "We take the security of your personal information very seriously and immediately launched an investigation in order to assess the affected documents and bring this to your attention," the company stated. A spokesperson was not immediately available for additional comment.
The breach is not 7-Eleven's first security incident. In August 2022, 7-Eleven Denmark confirmed it was hit by a ransomware attack that encrypted systems and forced the temporary closure of 175 stores.
ShinyHunters has been aggressively targeting Salesforce customers over the past year, breaching hundreds of companies in campaigns such as the Salesloft Drift campaign and the more recent Salesforce Aura data theft attacks. The group has claimed breaches at major organizations including the European Commission, Vimeo, McGraw-Hill, Medtronic, Zara, PornHub, Rockstar Games, Match Group, ADT, Google, and Cisco.
The FBI has advised ShinyHunters' victims not to pay ransoms, warning that doing so does not guarantee the data will not be leaked or sold to other criminals. Last week, edtech giant Instructure reached an agreement with ShinyHunters to prevent the leak of stolen data, though security experts remain skeptical about the group's claims of deleting the data.
The breach notification letters sent to affected franchisees reveal that 7-Eleven discovered the intrusion on April 8 and determined that attackers accessed systems used to store franchisee documents, though the company has not disclosed the total number of impacted individuals. The ShinyHunters group had previously claimed responsibility for the breach and leaked a 9.4GB archive of stolen data, which 7-Eleven's latest disclosure now confirms as legitimate. The investigation into the full scope of the incident remains ongoing.