7-Eleven, the world's largest convenience store chain, has confirmed a data breach after the ShinyHunters extortion group claimed to have stolen more than 600,000 Salesforce records from its systems. The intrusion was detected on April 8 and disclosed through a notification to the Maine Attorney General's Office, which lists only two Maine residents among the impacted individuals. ShinyHunters listed the company on its leak site on April 17 and demanded a ransom by April 21, later offering the data for $250,000 on a hacker forum.
What Happened
7-Eleven detected an intrusion into the internal systems used to store franchisee documents on April 8, 2026. The compromised environment held information collected during franchise applications, including unspecified personal data submitted by prospective franchisees. The company has begun issuing security incident notices to affected individuals and filed a breach notification with the Maine Attorney General's Office. While the total number of impacted individuals has not been publicly disclosed, only two Maine residents were named in that filing, suggesting the personal-information exposure may be narrower than the volume of stolen records implies. ShinyHunters publicly listed 7-Eleven on its leak portal on April 17, threatening publication unless a ransom was paid by April 21. When that deadline lapsed, the group pivoted to monetization, advertising the dataset for sale at $250,000 on a popular cybercrime forum.
What Was Taken
According to ShinyHunters' own claims, the threat actor exfiltrated more than 600,000 Salesforce records belonging to 7-Eleven. The dataset reportedly includes a mix of personal information and corporate data tied to franchise operations and applicant records. 7-Eleven's official notification confirms that personal information provided during franchise applications was accessed, though the company has not enumerated the specific data fields involved. Franchise application packages typically contain identity documents, contact information, financial disclosures, business history, and references, all of which would be high-value inputs for downstream fraud, business email compromise, or targeted social engineering against franchisees and corporate staff.
Why It Matters
The 7-Eleven incident is the latest entry in a sustained ShinyHunters campaign that has hit Instructure, Vimeo, Wynn Resorts, Vercel, and Medtronic in recent months. The pattern is consistent: large enterprises with substantial Salesforce footprints, data exfiltration at scale, public listings on a leak site, and a short ransom window followed by forum sales when payment is refused. For defenders, this signals that Salesforce tenants are now firmly established as a top-tier extortion target, not because of platform flaws but because of how organizations configure, integrate, and grant access to them. The relatively small number of Maine residents in the 7-Eleven notification also illustrates a notification-volume vs. data-volume mismatch that is becoming common in these incidents: a breach can yield hundreds of thousands of corporate records while triggering only a small consumer-protection footprint, masking the operational severity from public reporting.
The Attack Technique
ShinyHunters has not relied on zero-day vulnerabilities in Salesforce products. Across the broader 2025 to 2026 campaign, intrusions have been traced to phishing of users with Salesforce access, abuse of third-party integrations and OAuth-connected applications, and tenant misconfigurations that expose excessive data to compromised accounts or apps. Once initial access is obtained, the group pivots to bulk record export through legitimate Salesforce APIs and data-loader tooling, blending exfiltration with normal administrative activity. The model is then a classic data-theft extortion play: leak site listing, short countdown, and forum sale on non-payment, with no encryption component.
What Organizations Should Do
- Audit every connected app, OAuth grant, and third-party integration in your Salesforce tenants and revoke anything unused, unowned, or over-scoped.
- Enforce phishing-resistant MFA for all Salesforce users, especially administrators, integration accounts, and franchisee or partner portals.
- Restrict bulk data export capabilities through profile, permission set, and IP-range controls, and alert on large API-driven record pulls from unusual sessions.
- Review franchisee, partner, and applicant data stored in CRM platforms and minimize retention of high-sensitivity fields that are not operationally required.
- Treat Salesforce tenants as Tier 0 assets in your monitoring program by ingesting Event Monitoring logs into the SIEM with detections for anomalous report exports, data loader usage, and connected-app activity.
- Prepare a breach-response playbook specific to SaaS data-theft extortion, including legal counsel, regulator notification thresholds, and a non-payment communications plan.
Sources: 7-Eleven Data Breach Confirmed After ShinyHunters Ransom Demand