7-Eleven Data Breach Exposes 185,000 Individuals, ShinyHunters Claims Responsibility
A cyberattack on 7-Eleven exposed personal data of approximately 185,000 people, with the ShinyHunters extortion gang claiming responsibility and leaking a 9.4 GB archive.
A cyberattack on convenience store giant 7-Eleven has exposed the personal information of approximately 185,000 individuals, according to a notice from the company and data breach notification service Have I Been Pwned. The breach, which was later claimed by the notorious ShinyHunters extortion gang, involved the theft of email addresses, names, physical addresses, dates of birth, and phone numbers. A small number of records also contained additional data fields.
7-Eleven, which operates more than 86,000 stores across 19 countries, discovered the intrusion on April 8, 2026, when it found that an unauthorized third party had gained access to certain systems. In a security incident notice dated May 1, 7-Eleven CISO Jim Kastle confirmed that the investigation determined the compromised documents contained information individuals had submitted during the franchise application process. “We take the security of your personal information very seriously and immediately launched an investigation in order to assess the affected documents and bring this to your attention,” Kastle said, adding that the company arranged for identity theft protection services and CyberScan monitoring through IDX at no cost for up to 24 months.
While 7-Eleven did not name the threat actor, ShinyHunters claimed responsibility for the attack on April 17. The group alleged that it had stolen more than 600,000 records and later published a 9.4 GB archive of data following what it described as unsuccessful ransom negotiations. The attack vector and technical details of the intrusion have not been disclosed, leaving questions about how the attackers gained access to the franchise application system.
ShinyHunters has been linked to multiple high-profile incidents this year, including breaches at ADT, the European Commission, Aura, Rockstar Games, and Udemy. In early May, Instructure, the company behind the online learning platform Canvas, reached an agreement with the gang to prevent data stolen in a recent breach from being published online. The FBI later warned organizations and individuals against complying with ShinyHunters’ extortion demands, noting that payment does not guarantee stolen data will be deleted or prevent future extortion attempts.
The 7-Eleven breach underscores the persistent threat posed by extortion-focused cybercriminal groups that target large enterprises with valuable data. The exposure of franchise applicant information—which often includes sensitive personal details—highlights the risks associated with third-party data collection and storage. As ShinyHunters continues to operate with impunity, organizations are urged to strengthen their defenses and avoid paying ransoms, as the FBI has advised.