7-Eleven data breach exposes personal information of 185,000 people

At a glance:

• ShinyHunters claimed to have stolen over 600,000 records from 7‑Eleven’s Salesforce environment and leaked a 9.4 GB archive
• Have I Been Pwned analysis shows 185,300 individuals affected, including names, DOB, email, phone and address
• The breach was discovered on May 1, 2024 after unauthorized access on April 8, 2026 and follows a 2022 ransomware incident in Denmark

What happened

The extortion group ShinyHunters announced on April 17 that it had breached 7‑Eleven’s Salesforce environment, exfiltrating more than 600,000 records. The stolen data allegedly included corporate documents and a vast trove of personally identifiable information (PII). After the company refused to pay a ransom, the gang posted a 9.4 GB archive of the compromised files on its dark‑web leak site.

Data‑breach notification service Have I Been Pwned later examined the leaked archive and confirmed that the exposure covered 185,300 people. The compromised fields comprise unique email addresses, full names, dates of birth, phone numbers and physical addresses. A small subset of records also contained additional data fields, though the exact nature of those extras was not disclosed.

7‑Eleven’s own disclosure, sent to affected customers on May 1, 2024, stated that an “unauthorized third party” accessed “certain 7‑Eleven systems used to store franchisee documents” on April 8, 2026. The company has not officially attributed the attack to ShinyHunters, nor has it released further technical details about the intrusion vector.

The breach is part of a broader campaign by ShinyHunters against Salesforce customers. Over the past year the gang has claimed hundreds of compromises, alleging theft of billions of records in the so‑called “Salesforce Aura” and “Salesloft Drift” attacks.

Other high‑profile victims ShinyHunters has listed include the European Commission, video platform Vimeo, Spanish fast‑fashion retailers Zara and MANGO, ed‑tech giant McGraw‑Hill, home‑security company ADT, medical‑device maker Medtronic, adult‑site PornHub, game developer Rockstar Games, dating service Match Group, and tech giants Cisco and Google.

Response and implications

7‑Eleven notified affected customers via breach‑notification letters and urged them to monitor their accounts for suspicious activity. The company also emphasized that the breach was limited to “certain 7‑Eleven systems used to store franchisee documents,” a statement that aligns with the data fields observed by Have I Been Pwned.

The FBI recently issued a warning to all victims of ShinyHunters, advising against paying ransoms. The agency cautioned that ransom payments do not guarantee that threat actors will refrain from selling the stolen data to other criminals or launching follow‑up extortion attempts.

The incident revives concerns about the security of cloud‑based CRM platforms like Salesforce, especially when they host sensitive franchisee information for large retail chains. Security experts note that while Salesforce provides robust native controls, misconfigurations and inadequate access‑management practices can still expose vast data sets.

For 7‑Eleven, the breach adds to a previous ransomware episode in Denmark (August 2022) that forced the shutdown of 175 stores after attackers encrypted critical systems. The cumulative effect of repeated incidents may pressure the retailer to accelerate its cybersecurity investments and reassess third‑party vendor risk.

Stakeholders—including franchise owners, loyalty‑program members (over 100 million across 7Rewards and Speedy Rewards), and regulators—are likely to scrutinize the company’s incident‑response procedures and data‑protection policies. Ongoing monitoring of the leaked archive will be essential to gauge whether the data is being repurposed for further phishing or fraud campaigns.

Broader context

ShinyHunters’ focus on Salesforce highlights a shifting threat landscape where cybercriminals target SaaS ecosystems rather than traditional on‑premise networks. The group’s public “leak‑and‑extort” model—publishing large archives to pressure victims into paying—has proven effective in extracting payouts, even though law‑enforcement agencies continue to advise against ransom payments.

The FBI’s advisory underscores a growing consensus among security agencies: proactive defense, rapid detection, and robust backup strategies are more reliable than reactive ransom negotiations. Companies are urged to implement zero‑trust architectures, enforce least‑privilege access, and regularly audit cloud configurations to mitigate similar attacks.

As the investigation unfolds, 7‑Eleven is expected to cooperate with law‑enforcement and may face regulatory scrutiny in jurisdictions with strict data‑privacy laws, such as the EU’s GDPR and various U.S. state statutes. The ultimate impact on the retailer’s brand reputation and customer trust will depend on the effectiveness of its remediation efforts and communication strategy.