Skip to main content
Emerging ThreatsData Breaches

7-Eleven Breach Exposes Franchisee Data After ShinyHunters Attack

Concerned 7-Eleven employee or franchisee looks at document near blurred POS terminal.

"We recently discovered that on April 8, 2026, an unauthorized third party gained access to certain 7‑Eleven systems used to store franchisee documents," 7‑Eleven said.

7‑Eleven confirms breach; notifications filed May 1

Convenience‑store giant 7‑Eleven acknowledged in data‑breach notifications sent to affected individuals on May 1 that it discovered in early April that attackers had gained access to some company systems and the personal information of an undisclosed number of people. The company said it "immediately launched an investigation in order to assess the affected documents and bring this to your attention," and apologized "for any inconvenience this may cause you." Those notices were filed in multiple U.S. states, according to the company disclosures.

ShinyHunters claims responsibility and specifics of the theft

The ShinyHunters extortion group publicly claimed responsibility for the attack on April 17. The gang said it allegedly stole more than 600,000 records containing corporate data and personally identifiable information after breaching 7‑Eleven's Salesforce environment. Less than a week after publicly claiming the breach, ShinyHunters posted a 9.4GB archive of documents to their dark‑web leak site after saying 7‑Eleven refused to pay a ransom.

ShinyHunters posted a statement on the leak site saying, "The company failed to reach an agreement with us despite our incredible patience, all the chances and offers we made," the cybercriminals said, according to reporting.

What 7‑Eleven has and has not disclosed

7‑Eleven confirmed unauthorized access to systems that store franchisee documents but has not disclosed which categories of data were exposed or the number of affected individuals. When BleepingComputer contacted the company for further details and to confirm ShinyHunters' claims, "a 7‑Eleven spokesperson was not immediately available for comment," the reporting noted.

The retailer operates, franchises, and licenses over 86,000 stores globally — including about 13,000 in the U.S. and Canada — and its 7Rewards and Speedy Rewards loyalty programs together have more than 100 million members. The company also operates and franchises Speedway, Stripes, Laredo Taco Company, and Raise the Roost Chicken and Biscuits locations worldwide.

Context from other incidents and law‑enforcement guidance

ShinyHunters has repeatedly targeted customers of Salesforce over the past year, publicly claiming breaches in campaigns such as "Salesloft Drift" and what the report describes as the "Salesforce Aura" data‑theft attacks. The group has also claimed responsibility for recent breaches at a range of organizations named in reporting, including the European Commission, Vimeo, McGraw‑Hill, Medtronic, Zara, PornHub, Rockstar Games, Match Group, ADT, Google, and Cisco.

The FBI advised victims last Friday not to give in to the threat actors' demands and reiterated a prior warning that paying a ransom "does not guarantee that they will not attempt to extort the victims again or sell the stolen data to other cybercriminals," according to the reporting. Separately, the edtech company Instructure announced last week that it reached an "agreement" with the extortion group to ensure that data stolen in a recent breach would not be leaked online.

How franchisees, loyalty members, and security teams will likely respond

  • Franchisees and loyalty program members: Franchisees whose documents were stored in the affected systems received formal notifications beginning May 1; however, 7‑Eleven has not specified which records or how many individuals were impacted. Those notified will need to review the breach notices and any follow‑up guidance the company issues.
  • Security and cloud teams (Salesforce customers): The attackers' claimed use of a Salesforce environment to exfiltrate data will prompt Salesforce customers and their security teams to review access controls, logging, and vendor configurations for similar exposures, as well as any vendor‑specific incident guidance.
  • Law enforcement and corporate counsel: With an ongoing public leak and an extortion demand reported, companies in the same breach cohort and counsel advising them will be watching for law‑enforcement guidance and for how other victims, like Instructure, negotiate outcomes with extortion groups.

7‑Eleven's disclosure confirms an intrusion on April 8 and formal notifications were sent on May 1, but key details remain at issue: the company has not confirmed the scope of the exposed data or the precise number of affected individuals, while ShinyHunters has publicly posted a sizable archive and publicly quantified the alleged haul as more than 600,000 records. The FBI's public guidance to victims and the recorded pattern of ShinyHunters' Salesforce‑related claims frame the immediate aftermath — notifications, forensic review, and the prospect of further disclosures as investigations continue.

Source: BleepingComputer — 7‑Eleven confirms data breach claimed by the ShinyHunters gang