ShinyHunters Extorts 7‑Eleven, Exposing 185 K Customer Records from Salesforce Platform
What Happened – In early April 2026, the ShinyHunters extortion gang breached 7‑Eleven’s Salesforce environment and stole over 600 K records, later leaking a 9.4 GB archive that exposed personal data of approximately 185 300 individuals. The gang demanded a ransom; 7‑Eleven refused, prompting public release of the data.
Why It Matters for TPRM –
- Large‑scale PII exposure from a global retail brand heightens supply‑chain risk for any downstream partners.
- Compromise of a SaaS CRM (Salesforce) demonstrates the danger of third‑party cloud dependencies.
- Extortion tactics can lead to data leakage even when ransom is not paid, affecting reputation and compliance.
Who Is Affected – Retail and convenience‑store operators, their franchisees, and any third‑party services integrated with 7‑Eleven’s Salesforce (e.g., loyalty‑program providers, marketing platforms).
Recommended Actions –
- Review contracts and security clauses with 7‑Eleven and any SaaS CRM providers.
- Verify that your organization’s data shared with 7‑Eleven (or similar retailers) is encrypted at rest and in transit.
- Conduct a third‑party risk assessment focusing on credential hygiene and MFA for cloud applications.
Technical Notes – Attack vector appears to be stolen credentials used to access the Salesforce instance; no specific CVE disclosed. Exfiltrated data includes names, dates of birth, email addresses, phone numbers, and physical addresses. Source: BleepingComputer