7-Eleven has confirmed a data breach after the prolific cybercrime group ShinyHunters claimed responsibility and demanded a ransom payment. The attackers claimed to have exfiltrated more than 600,000 Salesforce records containing personal information and corporate data from the global convenience store chain, according to reporting from SecurityWeek.
What Was Stolen
According to ShinyHunters' claims — which 7-Eleven has confirmed as genuine — the stolen dataset consists of Salesforce CRM records. The data reportedly includes:
- Personal information — Customer names, contact details, and potentially loyalty program data
- Corporate data — Internal business records stored within 7-Eleven's Salesforce environment
- Account records — Salesforce objects that may include relationship data tied to business partners, franchise operators, or registered customers
With over 600,000 records affected, the breach represents a significant exposure for one of the world's largest convenience store chains, which operates over 83,000 stores across 19 countries.
ShinyHunters: Escalating Salesforce Attacks
ShinyHunters has become one of the most prolific and destructive cybercrime groups in 2025–2026, responsible for a wave of data breaches targeting cloud platforms. The group has repeatedly targeted Salesforce environments across multiple victims:
| Victim | Claimed Records | Date |
|---|---|---|
| Shinyhunters/Salesforce/Aura data theft | Multiple organizations | March 2026 |
| ADT | 5.5 million customers | April 2026 |
| Canada Goose | 600,000+ records | Q1 2026 |
| Medtronic | 9 million records claimed | April 2026 |
| 7-Eleven | 600,000+ Salesforce records | May 2026 |
The group's operational pattern involves:
- Gaining unauthorized access to cloud platforms, often via compromised credentials or API tokens
- Exfiltrating large datasets
- Contacting the victim with a ransom demand
- Publishing or selling stolen data when payment is refused
How Salesforce Environments Are Compromised
Salesforce CRM environments can be breached through several attack vectors commonly exploited by groups like ShinyHunters:
| Vector | Description |
|---|---|
| Compromised credentials | Phished or reused Salesforce user credentials — Salesforce accounts without MFA are especially vulnerable |
| OAuth token theft | Stealing OAuth tokens from connected applications that have API access to Salesforce data |
| Third-party integrations | Compromising a business partner or software vendor with Salesforce API access |
| Session token hijacking | Stealing browser session cookies from authenticated Salesforce users |
| Data export API abuse | Using legitimate Salesforce bulk data export features with stolen credentials to exfiltrate large datasets |
The Salesforce Aura framework, which powers many Lightning Experience components, has also been investigated as a potential attack surface for credential-based data theft.
Impact on 7-Eleven
For 7-Eleven, the confirmed breach carries significant consequences:
- Customer notification obligations — Depending on jurisdiction, 7-Eleven may be required to notify affected individuals under GDPR, CCPA, and various state and national data protection laws
- Regulatory scrutiny — Data protection authorities in the US, EU, and other regions may initiate investigations
- Franchise partner exposure — If corporate data includes franchise operator information, business partners may also be at risk
- Reputational damage — Consumer trust in loyalty programs and digital services may be impacted
- Potential class action — Large-scale consumer data breaches frequently attract class action litigation in the US
Recommendations for Affected Individuals
If you are a 7-Eleven customer — particularly if you use the 7-Eleven app, a loyalty account, or have engaged with 7-Eleven's digital services:
- Watch for a breach notification — 7-Eleven should notify affected individuals directly
- Change your 7-Eleven account password — Use a unique, strong password and enable multi-factor authentication if available
- Monitor for phishing — Stolen personal data is frequently used to craft targeted phishing emails; be suspicious of communications claiming to be from 7-Eleven
- Check for credential reuse — If you used the same password on your 7-Eleven account and other services, change it everywhere immediately
- Review account activity — Check your loyalty account for unauthorized point redemptions or account changes
Salesforce Security Best Practices for Enterprises
Organizations using Salesforce CRM should treat this breach as a prompt to review their security posture:
- Enforce MFA on all Salesforce users — Salesforce's built-in MFA enforcement should be enabled for all user profiles
- Audit connected apps and OAuth grants — Remove stale or unnecessary third-party app integrations with Salesforce API access
- Implement IP allowlisting — Restrict Salesforce API and UI access to known corporate IP ranges where feasible
- Enable Salesforce Shield — Use Platform Encryption, Event Monitoring, and Field Audit Trail for enhanced data protection and anomaly detection
- Review data export permissions — Restrict bulk data export capabilities to only those roles that genuinely require them
- Monitor API activity — Audit Salesforce API call volumes and flag anomalous bulk data access patterns
The ShinyHunters Threat Group
ShinyHunters has operated since at least 2020, when they emerged selling stolen databases on cybercrime forums. The group has significantly escalated its activities in 2024–2026, now functioning as part of a broader cybercriminal ecosystem that includes affiliates operating under the Coinbase Cartel umbrella (linked to Scattered Spider and Lapsus$). Their technical capabilities include cloud platform exploitation, API credential theft, and large-scale data exfiltration across multiple industry verticals.
Law enforcement has arrested several alleged ShinyHunters members in previous years, but the group continues to operate and recruit new members.