ShinyHunters drains 7-Eleven's Salesforce: 600K+ records, franchisee documents, ransom refused
7-Eleven has confirmed that an unauthorized party reached systems holding its franchisee documents on April 8, 2026. The extortion group ShinyHunters claims it stole more than 600,000 Salesforce records of personal and corporate information, posted samples on its Tor leak site, and demanded payment by April 21 or it would publish everything. 7-Eleven says the leaked files came from franchise applications and that it is notifying affected individuals. The breach fits the pattern ShinyHunters has run against Google, Cisco, Vimeo, Rockstar Games, Instructure, Zara, and the European Commission since mid-2025 - all delivered through compromised Salesforce instances rather than direct break-ins.
- Check
- Audit Connected Apps and OAuth consents in Salesforce. Review login history for unfamiliar IPs and service-account sessions that exported large record sets in the last 90 days. Verify MFA on every API user.
- Affected
- Organizations running Salesforce without Conditional Access on API users, without IP allowlisting on integration users, or with high-privilege Connected Apps that have not been reviewed in the last quarter.
- Fix
- Revoke unused Connected Apps and refresh tokens. Enforce MFA and IP restrictions on every Salesforce identity. Apply Shield Event Monitoring to alert on bulk exports and report downloads. Rotate API keys with broad permissions.