The world's largest food distributor is facing its second extortion threat in weeks. ShinyHunters, the prolific data-theft collective, has posted Sysco Corporation to its dark web victim blog and claims to have stolen more than 61 million Salesforce records spanning customer, employee, and internal corporate data. The threat arrives just weeks after the Qilin ransomware gang named the Houston-based giant, leaving Sysco fighting on two extortion fronts at once.
What Happened
ShinyHunters listed Sysco, the "Systems and Services Company," on its leak site and claimed to have compromised "over 61 million Salesforce records across several tables." The group gave Sysco a hard two-day deadline to make contact before it publishes the allegedly exfiltrated data, signing off the post with a familiar pressure tactic: "Make the right decision, don't be the next headline." No proof samples accompanied the listing, so the claim remains unverified at the time of writing. Critically, this is the second extortion attempt against Sysco in a short window. The company was recently named by the Qilin ransomware operation, meaning two distinct threat actors are now applying pressure to the same victim.
What Was Taken
According to ShinyHunters, the stolen databases include "customer data/PII, employee data, and other internal corporate data." The headline figure is 61 million records pulled from multiple Salesforce tables, which would represent a substantial slice of Sysco's customer relationship and operational data. Because the gang published no samples, the volume and sensitivity cannot be independently confirmed. If the claim holds, the exposure would touch personally identifiable information for customers and employees alike, plus internal corporate records that could fuel follow-on fraud, phishing, and business email compromise against Sysco's vast partner ecosystem.
Why It Matters
Sysco is not an ordinary breach target. Formed in 1969, it operates more than 340 distribution facilities worldwide and supplies nearly 500 fresh and frozen food products, culinary supplies, and equipment to roughly 750,000 locations across 10 countries. Its customer base spans some of the most sensitive sectors imaginable: restaurants, healthcare and senior living facilities, government agencies including FEMA and the Red Cross, military installations, schools, hotels, airlines, airports, cruise ships, sports stadiums, casinos, supermarkets, and convenience stores. The company also owns 150 local subsidiaries across 90 countries. A data compromise of this magnitude could ripple outward into critical infrastructure and public services, and any leaked PII becomes raw material for targeting downstream organizations that trust Sysco as a vendor.
The Attack Technique
ShinyHunters has not detailed its intrusion method for this incident, and Sysco has not publicly confirmed a breach. However, the targeting of Salesforce data fits a well-documented ShinyHunters playbook. The group has repeatedly leveraged voice phishing (vishing) and social engineering to trick employees into authorizing malicious connected apps or surrendering credentials, then abused legitimate Salesforce APIs and data loader tooling to bulk-export records across multiple tables at scale. The phrase "several tables" in the listing is consistent with API-driven mass extraction rather than a single misconfigured export. Defenders should treat OAuth app abuse, anomalous bulk API queries, and credential phishing as the most probable vectors until Sysco confirms otherwise.
What Organizations Should Do
- Audit all connected and third-party OAuth apps in your Salesforce org. Revoke anything unrecognized or over-permissioned, and restrict who can authorize new connected apps.
- Enforce phishing-resistant MFA (FIDO2 or hardware keys) for all Salesforce and SaaS administrator accounts, and train staff specifically on vishing and consent-phishing scenarios.
- Monitor Salesforce event logs for anomalous bulk API activity, large data exports, and logins from unusual locations or IP ranges. Alert on volume spikes from data loader tools.
- Apply IP allowlisting and session controls to limit API access to known corporate networks and trusted integration endpoints.
- Inventory and minimize the PII stored in Salesforce; apply field-level encryption and data masking so a single export yields less usable sensitive data.
- Prepare an extortion response plan that does not assume a single adversary, since this incident shows multiple gangs can target one victim concurrently. Coordinate legal, comms, and IR teams in advance.