ShinyHunters dumped 9.4GB of 7-Eleven franchisee data after a rejected ransom demand

The extortion gang ShinyHunters leaked a 9.4GB archive of 7-Eleven data after the retailer declined to pay, BleepingComputer reported. The dump exposed personal information on roughly 185,000 people pulled from a Salesforce system that stored franchisee documents.

This is the same crew, same playbook, different victim. ShinyHunters has spent the year working through companies’ Salesforce environments, and 7-Eleven, which operates more than 86,000 stores worldwide, is the latest name on the list. The compromised system wasn’t point-of-sale or payment infrastructure, so card data isn’t the story here. It was the back-office document store franchisees use, which turns out to hold exactly the kind of identity-grade personal data that fuels the next round of phishing and fraud. That’s why a “document store” breach matters as much as a payment one.

What we know

7-Eleven has confirmed the intrusion. In a notice reported by BleepingComputer, the company said: “We recently discovered that on April 8, 2026, an unauthorized third party gained access to certain 7-Eleven systems used to store franchisee documents.” Here’s what’s established so far.

• The intrusion date is fixed. The unauthorized access happened on April 8, 2026, per that notice, and ShinyHunters went public with the theft nine days later.
• The exposed data is identity-grade. Have I Been Pwned, which ingested the leak, confirmed 185,000 unique email addresses alongside names, physical addresses, dates of birth, and phone numbers. That’s enough to seed convincing phishing and identity fraud.
• ShinyHunters claimed it publicly. The group took responsibility on April 17, said it pulled more than 600,000 records of corporate and personal data, and posted the 9.4GB archive to a dark-web leak site after its ransom demand was refused.
• The entry point was Salesforce. The breached store was a Salesforce instance, consistent with ShinyHunters’ broader campaign against Salesforce customers, where the gang has claimed billions of stolen records across many companies.

What we don’t know

Three gaps remain even with the April 8 timeline and the 185,000-email count confirmed.

• How they got in. ShinyHunters’ Salesforce campaign has leaned heavily on social engineering and abused OAuth-connected apps rather than software exploits, but 7-Eleven hasn’t detailed the exact vector for this intrusion.
• The real headcount. The 185,000 figure is the count of unique emails in the leaked file, but ShinyHunters claims more than 600,000 records total. The actual number of affected franchisees, staff, and corporate contacts could land anywhere between those two once 7-Eleven finishes its own analysis.
• Whether notifications are going out. There’s no public detail yet on regulatory filings or individual breach notices to the people in the dump.

Who reported this

The breach surfaced through BleepingComputer and Technadu, corroborated by Have I Been Pwned’s ingestion of the leaked archive. ShinyHunters is the named actor. This isn’t the group’s first appearance in our coverage: it’s the same outfit that hit Canvas LMS for 275 million student records earlier this month. The FBI’s standing guidance to extortion victims is not to pay, and 7-Eleven appears to have followed it, which is why the data is now public.

What this means for you

If you’re a 7-Eleven franchisee or worked with the corporate side, assume your name, address, date of birth, phone, and email are now circulating. None of that is resettable like a password. The realistic threat is targeted phishing and identity fraud: someone who knows your real address and birthday can spoof a “7-Eleven corporate” email or a bank call that sounds legitimate. Treat any unexpected message referencing the breach as hostile, verify through a channel you initiate, and consider a credit freeze if you’re in the dump.

If you run security anywhere that touches Salesforce, this is your prompt to audit it this week. ShinyHunters keeps winning the same way: a third-party connected app with broad scopes, or a help-desk social-engineering call that resets the wrong account. Pull the list of OAuth apps with access to your org, kill the ones nobody recognizes, and tighten the scopes on the rest. The breach here wasn’t a clever zero-day. It was a back-office document store that someone could reach and a chain that, to its credit, refused to fund the next one.