SYS::ONLINE
Wasteland.
Briefs1105
Issues17
SinceFeb 2026
LIVE
█ Ransomware SYSCO-QILIN-SHINYH 2026-07-05

Sysco: Qilin Ransomware and ShinyHunters OAuth Extortion

"Sysco, the largest food distributor in the world, was claimed by two separate extortion crews inside roughly eight weeks. Qilin, the ransomware operation, named Sysco as a victim in early May 2026. On June 15…"

Sysco, the largest food distributor in the world, was claimed by two separate extortion crews inside roughly eight weeks. Qilin, the ransomware operation, named Sysco as a victim in early May 2026. On June 15, ShinyHunters claimed it had stolen more than 61 million Salesforce records and set a June 18 payment deadline. The deadline passed, and on June 28 Have I Been Pwned loaded 2,691,852 Sysco accounts into its database. Two unrelated actors, two access paths, one company, one quarter. That is the anchor here, and it is confirmed. The 61 million figure is still a ShinyHunters claim.

What Happened

The timeline is short and it is the point. In early May, Qilin listed Sysco on its ransomware leak site. Weeks later, on June 15, ShinyHunters surfaced with a separate extortion claim built on stolen Salesforce data and a hard June 18 deadline for payment. No payment arrived, and the data started moving: Have I Been Pwned confirmed and loaded 2,691,852 Sysco accounts on June 28. Two unrelated crews independently found a way into the same environment within a single quarter. A lone breach is an incident. Two breaches by two actors through what look like two different doors is a posture problem, and the posture is what defenders should be reading rather than the headline record count.

What Was Taken

The verifiable portion is the Have I Been Pwned load: 2,691,852 accounts exposing email addresses, full names, job titles, phone numbers, physical addresses, internal account IDs, and customer feedback records. That is a mix of employee and customer identity data plus internal business identifiers, precisely the material that fuels targeted phishing, business email compromise, and follow-on fraud against Sysco's customer base. ShinyHunters separately claims more than 61 million Salesforce records spanning customer information, employee data, and internal corporate records. That larger figure remains an unverified assertion by the actor and should be treated as a claim, not a confirmed count. Qilin's claim from May has not been publicly quantified.

Why It Matters

When two independent crews walk through the same building weeks apart, the building had more than one unresolved way in, and both were open at the same time. The 61 million number is designed to be the story; the two-crews-in-two-months detail is the story. For a company at the center of the food supply chain, an exposed employee and customer dataset is not just a privacy event. It is a ready-made toolkit for impersonating Sysco to its own customers and staff, and it signals that access into the environment was cheap enough that multiple actors found it independently. Defenders reading this should assume the underlying access paths outlive any single extortion event.

The Attack Technique

The ShinyHunters Salesforce campaign does not break Salesforce. It abuses OAuth tokens and dormant API credentials, the standing long-lived authorizations that connect a CRM to the dozen SaaS tools bolted onto it. The same method has now been used against Kodak, Ralph Lauren, and the Council of Europe, and it traces back to the Salesloft-Drift OAuth breach attributed to UNC6395, first reported in September 2025, where stolen tokens for one marketing integration opened the Salesforce instances of 760 organizations. That incident also pulled twelve security vendors into the victim column. Sysco is not a new class of attack. It is the same OAuth-token door on a bigger building. The Qilin intrusion in May represents a separate path, which is exactly why the two events together read as a systemic access problem rather than one flaw.

What Organizations Should Do

  1. Inventory every OAuth grant and API integration connected to Salesforce and other core SaaS platforms. Revoke tokens tied to unused, dormant, or third-party marketing tools you cannot fully account for.
  2. Rotate long-lived API credentials on a schedule and enforce short token lifetimes with refresh policies. Standing, never-expiring authorizations are the vulnerability class in play here.
  3. Scope integration permissions to least privilege. A CRM connector rarely needs bulk export rights across every object; constrain what each token can read.
  4. Monitor for anomalous API pull volume and off-hours bulk queries against CRM data. High-volume record extraction through a legitimate token is the signal this technique leaves.
  5. Treat a first intrusion as evidence of multiple open paths, not a single closed one. After any breach, hunt for additional footholds instead of assuming the one you found was the only one.
  6. Assume exposed employee and customer identity data will be weaponized for phishing and BEC. Brief staff and downstream customers, and tighten verification for payment and account changes.

Sources: Two Ransomware Crews Hit Sysco in Two Months. Qilin in May, ShinyHunters in June. When Two Gangs Walk the Same Door Weeks Apart, the Door Was the Problem.