7-Eleven

On April 8, 2026, 7-Eleven discovered unauthorized access to certain company systems. By April 17, ShinyHunters claimed responsibility and threatened to publish stolen data if ransom demands weren't met by April 21. The company refused to pay. ShinyHunters leaked a 9.4GB archive on their dark web site. Breach notification letters went out May 1, 2026.

Initial disclosures mentioned email addresses, names, physical addresses, dates of birth, and phone numbers. Then state attorney general filings told a different story: Social Security numbers and driver's license numbers were also exposed.

ShinyHunters claimed to have stolen over 600,000 records from 7-Eleven's Salesforce environment—corporate data and personally identifiable information from franchisee operations. The company's confirmed count is 185,000+ individuals, but the full scope continues to emerge through regulatory filings.

185,000 people whose SSNs and driver's licenses are now circulating on dark web forums. This is identity theft fuel: new account fraud, tax refund theft, synthetic identity schemes. The exposed data wasn't just customer information—it included franchisee and employee records from 7-Eleven's business operations.

7-Eleven is offering 24 months of identity theft protection through IDX, with enrollment open until August 1, 2026. That's an acknowledgment of the severity: when you're offering two years of monitoring, you're admitting the damage can't be undone quickly.

Using Salesforce as their CRM platform. Salesforce is enterprise-grade software with extensive security certifications. It's what major retailers use to manage customer relationships, franchisee data, and business operations. The platform itself is secure.

But ShinyHunters has been targeting Salesforce instances specifically since mid-2025. The intrusions don't exploit Salesforce vulnerabilities—they come through phishing, abuse of third-party integrations, or misconfigurations. The platform is secure; the way organizations use it often isn't.

The evolving disclosure tells the story. Initial statements mentioned standard contact information. State filings added SSNs and driver's licenses. The gap between "what we thought was in there" and "what was actually in there" expanded over weeks.

Salesforce environments accumulate data across years of business operations. Franchisee applications. Employee onboarding forms. Support tickets. Every business process that touches the CRM leaves data behind. Without a comprehensive inventory, organizations don't know what's at risk until attackers tell them.

7-Eleven refused to pay the ransom. The FBI has advised ShinyHunters victims not to give in to demands, warning that payment doesn't guarantee attackers won't extort again or sell the data anyway. The data was leaked regardless.

Now 7-Eleven faces notification requirements across multiple states, each with different timelines and requirements. Massachusetts filings revealed the SSN exposure. Other state filings may reveal more. The full scope of what was taken—and who was affected—is still being determined through the regulatory process.