Sysco Corporation

ShinyHunters claimed a massive breach of Sysco Corporation's Salesforce environment, exfiltrating over 61 million records. Sysco is the world's largest food distributor, with $76 billion in annual revenue, serving restaurants, healthcare facilities, schools, and hotels across 90 countries.

The breach exposed customer data and PII, employee information, and internal corporate data spread across multiple Salesforce tables. For a company that serves as the supply chain backbone for the food service industry, this is an extensive exposure.

61 million records across Salesforce tables. Customer data for the restaurants, hospitals, schools, and hotels that Sysco supplies. Employee information for the company's 72,000+ workforce. Sales records, account relationships, and business data.

Sysco's customer base includes nearly every restaurant chain you've eaten at, major hospital systems, school districts, and hotel chains. The Salesforce data maps business relationships across the food service industry—who buys what, from whom, at what price.

Restaurant owners and food service managers whose contact information and business relationships are exposed. Sysco employees—72,000+ people—whose personal and employment data may be in the dump. Healthcare facilities and schools whose supply arrangements are now visible.

Beyond individual exposure, this is competitive intelligence at scale. Pricing data, customer relationships, sales patterns—competitors would pay significantly for this visibility into the market leader's operations. ShinyHunters just made it free.

Sysco is a Fortune 50 company with enterprise security operations. They manage massive logistics operations across 330+ distribution facilities. Security investment is substantial.

But Salesforce environments are complex. Multiple orgs, custom integrations, third-party apps, years of accumulated data. The attack surface of a CRM serving 76 billion dollars of annual business is substantial. And ShinyHunters has been specializing in Salesforce breaches throughout their 2026 campaign.

61 million records across "several tables" suggests years of accumulated CRM data. Old accounts, historical contacts, former employees, inactive customers—all persisting in Salesforce. CRM platforms are designed to remember everything. That's a feature until it's a breach.

How much of those 61 million records represented active business relationships versus historical data that should have been archived or deleted? The breach scope is determined by what actually existed in the system—not what was supposed to be there.

Employee data triggers notification obligations across states where Sysco operates—which is everywhere. Customer data may require notification to business contacts across the food service industry. This is a massive notification undertaking.

Sysco also supplies healthcare and education—sectors with their own notification requirements. The regulatory complexity of a breach this broad, affecting this many business categories, is substantial.