7-Eleven Breach Exposes 185,000 Customer Records
Key Takeaways
- ShinyHunters stole 185,300 unique customer records including names, emails, birthdates, and addresses
- The breach occurred through 7-Eleven's Salesforce environment used for franchisee documents
- After 7-Eleven refused to pay ransom, attackers leaked 9.4GB of stolen data on the dark web
What Happened
On April 8, 2026, the ShinyHunters extortion gang broke into 7-Eleven's internal systems and stole personal information belonging to 185,300 people. The attackers gained access through the company's Salesforce environment, specifically targeting systems used to store franchisee documents.
7-Eleven disclosed the breach in notification letters sent to affected customers on May 1. The company confirmed that "an unauthorized third party gained access to certain 7-Eleven systems used to store franchisee documents" but did not publicly attribute the attack to any specific group.
ShinyHunters claimed responsibility on April 17. The gang said they stole over 600,000 records containing corporate data and personally identifiable information. When 7-Eleven refused to pay the ransom demand, ShinyHunters published a 9.4GB archive of stolen documents on their dark web leak site.
What Data Was Stolen
Have I Been Pwned, the data breach notification service, analyzed the leaked data and confirmed the full scope of the exposure. The stolen records include:
- Names
- Dates of birth
- 185,300 unique email addresses
- Phone numbers
- Physical addresses
Troy Hunt, creator of Have I Been Pwned, noted that "a small number of records also contained additional exposed data fields." The service confirmed the breach data aligns with 7-Eleven's statement about franchisee document systems being compromised.
ShinyHunters' Salesforce Campaign
This breach fits a pattern. ShinyHunters has spent the past year targeting Salesforce customers. The gang has breached hundreds of companies through two major campaigns: the Salesforce Aura data theft attacks and the Salesloft Drift campaign. They claim to have stolen billions of records across these operations.
Security researchers tracking the group note that ShinyHunters often gains access through social engineering rather than technical exploits. Discussion on Hacker News pointed to the group's high success rate in compromising corporate Salesforce implementations through this method.
Recent ShinyHunters victims include the European Commission, video service Vimeo, and several Spanish organizations. The gang operates a consistent playbook: breach, demand ransom, leak if unpaid.
7-Eleven's Security History
This is not 7-Eleven's first major security incident. In August 2022, 7-Eleven Denmark suffered a ransomware attack that forced the company to shut down 175 stores after attackers encrypted critical systems.
7-Eleven operates, franchises, and licenses more than 86,000 stores worldwide, including 13,000 in the U.S. and Canada. The company also runs Speedway, Stripes, Laredo Taco Company, and Raise the Roost Chicken and Biscuits locations. Its 7Rewards and Speedy Rewards loyalty programs have over 100 million members.
BleepingComputer reached out to 7-Eleven for comment on ShinyHunters' claims and the number of affected individuals. The company did not respond.
Community Response
On Reddit's cybersecurity forum, users focused on the irony of a global chain getting breached through a franchisee application portal. Many questioned the adequacy of 7-Eleven's third-party cloud data security practices, particularly for a company handling data from over 100 million loyalty program members.
“This incident is part of a broader, persistent campaign by ShinyHunters targeting organizations using Salesforce cloud environments.”
— Cybersecurity Analyst, Industry Security Report
What Affected Customers Should Do
If you've applied for a 7-Eleven franchise or provided personal information through their franchisee systems, assume your data was exposed. Take these steps:
- Check Have I Been Pwned to confirm if your email appears in the breach
- Monitor your credit reports for unusual activity
- Be alert for phishing emails that reference 7-Eleven or franchise applications
- Consider a credit freeze if the breach included your Social Security number
Logicity's Take
Frequently Asked Questions
How many people were affected by the 7-Eleven data breach?
185,300 unique customer records were exposed, according to Have I Been Pwned's analysis of the leaked data.
What information was stolen in the 7-Eleven breach?
The stolen data includes names, dates of birth, email addresses, phone numbers, and physical addresses. Some records contained additional data fields.
Who was responsible for the 7-Eleven hack?
The ShinyHunters extortion gang claimed responsibility. They specialize in breaching Salesforce cloud environments and have hit hundreds of companies in the past year.
Did 7-Eleven pay the ransom?
No. 7-Eleven refused to pay, and ShinyHunters subsequently leaked 9.4GB of stolen documents on their dark web site.
How can I check if my data was exposed in the 7-Eleven breach?
Visit Have I Been Pwned and enter your email address. The site will show if your information appears in this or other data breaches.
Need Help Implementing This?
Source: BleepingComputer
Manaal Khan
Tech & Innovation Writer
Related Articles
Browse all
Kraken Crypto Exchange Extortion: Hackers Threaten to Leak Internal Videos After Insider Breach
Cryptocurrency exchange Kraken is being extorted by hackers who obtained videos of internal systems through bribed support employees. The company says no funds were compromised and refuses to pay, with only about 2,000 accounts affected. Kraken is working with federal law enforcement to prosecute everyone involved.
Windows 11 KB5083769 and KB5082052: April 2026 Patch Tuesday Brings Smart App Control Changes and Security Fixes
Microsoft's April 2026 Patch Tuesday updates are now live for Windows 11, bringing critical security patches alongside a welcome change to Smart App Control. You can finally toggle SAC on or off without wiping your entire system. The updates cover versions 23H2, 24H2, and 25H2.
Zero Trust Identity Security: 5 Ways This Framework Actually Stops Credential Theft
Stolen credentials caused 22% of breaches in 2025, making them the top attack vector. Zero Trust promises to fix this, but only when it's built around identity as the core principle. Here's how organizations can implement it properly.
Open Source PR Backlogs: Why Your GitHub Contribution Sits Unreviewed for a Year
A developer's Jellyfin pull request has been waiting over a year for merge despite two approvals, exposing a systemic crisis in open source maintenance. Queuing theory explains why backlogs grow exponentially, and 60% of maintainers have quit or considered quitting due to burnout.
Also Read
5 Package Managers That Work on Windows, Mac, and Linux
Package managers have escaped their Linux origins. Several tools now install software identically across Windows, macOS, and Linux, eliminating the manual download ritual when you switch machines.
North Korean Hackers Behind 47% of US Tech Sector Intrusions
CrowdStrike's latest report reveals that North Korean operatives posing as remote IT workers accounted for nearly half of all state-sponsored intrusions targeting US tech companies over the past year. The hackers use AI-generated deepfakes and stolen identities to land legitimate jobs, then steal intellectual property and cryptocurrency to fund Pyongyang's nuclear program.
npm v12 Blocks Install Scripts by Default to Stop Supply-Chain Attacks
GitHub will ship npm v12 next month with a secure-by-default posture. The update disables automatic execution of preinstall, install, and postinstall scripts. It also blocks Git and remote URL dependencies unless developers explicitly approve them.