ShinyHunters Exfiltrates 600K Records from 7‑Eleven’s Salesforce Environment
What Happened – In early April 2026, attackers accessed 7‑Eleven’s Salesforce tenant and stole more than 600,000 records containing franchisee documents, personal identifiers, and corporate data. The ShinyHunters extortion gang publicly claimed responsibility on April 17 and later leaked a 9.4 GB archive after the company refused to pay.
Why It Matters for TPRM –
- A major global retailer’s SaaS provider was compromised, exposing both consumer and partner data.
- The breach demonstrates the risk of third‑party cloud services (Salesforce) when credential hygiene or configuration controls are weak.
- Ongoing extortion and public data dumps can trigger regulatory notifications, fines, and brand damage.
Who Is Affected – Retail & convenience‑store operators, franchise networks, loyalty‑program participants, and any downstream vendors that exchange data via 7‑Eleven’s Salesforce APIs.
Recommended Actions –
- Verify that all third‑party SaaS accounts (especially CRM/ERP) enforce MFA, least‑privilege access, and regular credential rotation.
- Conduct a focused audit of Salesforce security settings (IP restrictions, session policies, data export controls).
- Review contractual clauses with 7‑Eleven and its subsidiaries for breach‑notification obligations and data‑handling guarantees.
Technical Notes – The attackers likely leveraged stolen or weak credentials to gain API‑level access to the Salesforce environment, then exfiltrated data via bulk export tools. No specific CVE was disclosed. Exfiltrated data included franchisee contracts, employee PII, and loyalty‑program details. Source: BleepingComputer