On April 18, 2026, the ShinyHunters extortion group published a leak-site listing naming 7-Eleven, Inc. as a victim, claiming exfiltration of more than 600,000 Salesforce records containing personally identifiable information and other internal corporate data. The post, catalogued by RedPacket Security, issues a payment deadline of April 21, 2026 before the attackers threaten to release the stolen dataset. The listing carries a verification caveat: recent ShinyHunters posts have included unverified or fabricated victim claims, and the group has been linked to branded-scam activity, so the claim should be treated as unconfirmed pending corroborating evidence.

What Happened

According to the leak page, ShinyHunters asserts it has compromised 7-Eleven's Salesforce environment and extracted more than 600,000 records. The listing is framed as a "final warning," a hallmark of double-extortion posturing, and sets an April 21, 2026 deadline for the convenience-store operator to engage with the attackers. No sample files, screenshots, or directory listings accompany the post, which is unusual for ShinyHunters, whose historical leaks typically include partial data dumps or file-tree proofs. RedPacket Security flagged the listing with a verification alert citing BankInfoSecurity reporting on fake or rebranded ShinyHunters activity, meaning analysts should currently treat the claim as unconfirmed.

What Was Taken

The attackers claim the stolen dataset comprises over 600,000 Salesforce records, described as containing personally identifiable information alongside other internal corporate content. If accurate, a Salesforce corpus of that size from a retailer the scale of 7-Eleven would plausibly include customer contact details, loyalty-program identifiers, marketing-campaign records, case or support histories, and potentially franchisee or B2B partner data. Without published samples, the precise fields, freshness, and provenance of the data cannot be verified. The absence of proofs on the leak page is notable and weighs against, but does not disprove, the claim.

Why It Matters

Salesforce has become a consistent target theme in ShinyHunters' 2025 and 2026 operations, reflecting a broader trend of extortion crews pivoting from on-premises file servers toward SaaS-tenant data exfiltration where large CRM datasets sit under comparatively thin access controls. A confirmed compromise at a retailer of 7-Eleven's footprint would carry significant downstream risk: phishing and smishing campaigns targeting loyalty customers, fraud against store-branded payment products, and regulatory exposure across multiple U.S. state privacy regimes plus international jurisdictions where 7-Eleven operates. Even if this specific claim proves fabricated, defenders cannot dismiss the pattern; the attack technique behind similar, verified 2025 Salesforce thefts has been repeatedly weaponized.

The Attack Technique

The leak page does not specify an initial access vector. However, ShinyHunters' documented Salesforce-targeted campaigns have historically leveraged social-engineering of support or sales staff to authorize malicious connected apps, OAuth token abuse, voice-phishing to harvest SSO credentials, and theft of session cookies via infostealer logs traded on criminal marketplaces. Once inside a Salesforce tenant, the group typically uses the Data Loader utility or legitimate API integrations to bulk-export objects such as Accounts, Contacts, Leads, and Cases. The incident is characterized as a pure data-theft extortion event, not a file-encryption attack, consistent with ShinyHunters' tradecraft of operating without a conventional ransomware locker.

What Organizations Should Do

Sources: [SHINYHUNTERS] - Ransomware Victim: 7-Eleven, Inc[.] (7-eleven[.]com) - RedPacket Security