7-Eleven Data Breach: ShinyHunters Exposes 185,000 Personal Records

by

7-Eleven Data Breach Exposes 185,000 People as ShinyHunters Leaks Franchisee Records

The 7-Eleven data breach is now confirmed: the ShinyHunters extortion gang infiltrated the convenience store giant’s internal systems in April 2026, stealing sensitive personal information belonging to over 185,000 individuals. After 7-Eleven declined to pay the ransom demand, the group published a 9.4GB archive of stolen documents on their dark web leak site, putting the exposed data in the hands of anyone willing to look for it.

With 7-Eleven operating thousands of franchise locations across Canada, this breach carries direct implications for Canadian franchisees, job applicants, and potentially loyalty program members whose data may have been stored in the compromised systems.

What Happened: The Breach Timeline

On April 8, 2026, an unauthorized third party gained access to internal 7-Eleven systems used to store franchisee documents. The company’s Chief Information Security Officer, Jim Kastle, confirmed in filings with U.S. state attorneys general that attackers accessed an internal server housing sensitive records tied to franchise operations.

ShinyHunters publicly claimed responsibility on April 17, stating they had penetrated 7-Eleven’s Salesforce environment and extracted over 600,000 records containing a mix of corporate data and personally identifiable information. The group issued a ransom demand and threatened to publish the stolen data if payment was not made. When 7-Eleven refused to negotiate, ShinyHunters followed through and released the full archive.

7-Eleven began notifying affected individuals through formal data breach notification letters on May 1, 2026. The breach was added to Have I Been Pwned on May 24, 2026, with the service confirming approximately 185,300 unique accounts in the exposed dataset.

What Data Was Exposed

The leaked records cover current, former, and prospective franchisees who submitted personal information during the application and onboarding process. Confirmed exposed data types include:

  • Full names
  • Dates of birth
  • Physical addresses
  • Phone numbers
  • Email addresses

Filings with attorneys general in Maine and Massachusetts revealed that a subset of affected individuals also had Social Security numbers and driver’s license information exposed, significantly raising the personal risk for those individuals. The exact scope of sensitive government ID exposure varies by person depending on what was submitted during the franchisee application process.

Who Is ShinyHunters

ShinyHunters is a criminal hacking and extortion group that has been active since 2020. Security researchers believe the group’s core members are based in Canada and France, making their continued operation a matter of direct concern for Canadian law enforcement and affected organizations domestically.

The group’s attack pattern is consistent across targets: compromise a platform, exfiltrate large volumes of data, issue a ransom demand with a tight deadline, and publish whatever they have if the target does not pay. Their pressure tactics extend beyond corporate systems. The FBI has warned that ShinyHunters actors send threatening text messages and phone calls directly to individual victims and their family members, and have been known to use swatting as an escalation tool.

The 7-Eleven breach is one of many claimed by the group in a highly active stretch of criminal activity in 2026. Other confirmed or claimed ShinyHunters targets this year include the European Commission, Canvas/Instructure (an edtech platform used by thousands of educational institutions), McGraw-Hill, Medtronic, Match Group, Vimeo, ADT, Rockstar Games, Zara, and tech giants Cisco and Google.

On May 15, 2026, the FBI’s Internet Crime Complaint Center issued advisory Alert I-051526-PSA, specifically warning organizations and individuals about ShinyHunters’ ongoing campaign. The FBI advised all victims not to pay, noting that payment provides no guarantee the group will not sell the stolen data or return to extort the same target again.

The Salesforce Attack Vector

ShinyHunters has turned Salesforce misconfiguration into a repeatable attack vector in 2026. Cybersecurity experts examining the pattern have noted that the vulnerability is not within the Salesforce platform itself, but rather in how organizations configure guest user permissions and external access within their Salesforce environments.

When access controls are poorly configured, a single compromised credential or improperly exposed guest account can unlock vast amounts of customer and operational data stored in Salesforce CRM environments. Organizations relying on Salesforce to manage franchisee records, customer relationships, or hiring pipelines need to treat access permission audits as a standing security priority, not a one-time configuration task.

Canadian Impact and PIPEDA Considerations

7-Eleven operates and franchises stores across Canada. Individuals who applied for a 7-Eleven franchise in Canada, or who engaged in any franchisee document submission process, may have their personal information included in the exposed dataset.

Under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), organizations that suffer a breach involving a real risk of significant harm to individuals are required to notify affected individuals and report the breach to the Office of the Privacy Commissioner of Canada (OPC). Given that the exposed data includes government-issued identification details for a portion of affected individuals, the threshold for significant harm is clearly met.

Canadian organizations should also take note that ShinyHunters has already struck domestically in 2026. The group claimed a breach of Canada Life in April 2026, reportedly compromising millions of insurance records in what researchers described as part of the same Salesforce-focused campaign that hit 7-Eleven.

The Canadian Centre for Cyber Security (CCCS) has consistently identified extortion-based threat actors as a top-tier threat to Canadian businesses and critical infrastructure. The ShinyHunters pattern of targeting high-volume, franchise-model businesses aligns directly with the threat profile the CCCS has warned Canadian organizations about.

Key Takeaways

  • ShinyHunters breached 7-Eleven’s Salesforce environment on April 8, 2026, stealing over 600,000 records before leaking 9.4GB of data after the company refused to pay a ransom.
  • Approximately 185,300 individuals are confirmed affected, with exposed data including names, dates of birth, addresses, phone numbers, and email addresses; some records also include Social Security numbers and driver’s license information.
  • The breach affects current, former, and prospective 7-Eleven franchisees, with direct relevance to Canadian franchise applicants and operators.
  • ShinyHunters is believed to have core members based in Canada and France and has been escalating attacks throughout 2026, with Canada Life among their confirmed Canadian targets.
  • The FBI has issued a formal advisory warning organizations not to pay ShinyHunters’ demands, as payment does not prevent re-extortion or data resale.
  • The attack vector involves misconfigured Salesforce guest user permissions, a pattern ShinyHunters has replicated across multiple high-profile targets this year.
  • Under PIPEDA, Canadian individuals affected by this breach may be entitled to notification and have the right to report concerns to the Office of the Privacy Commissioner of Canada.

What You Should Do Now

  1. Check your exposure immediately. Visit haveibeenpwned.com and search your email address to confirm whether your data appears in the 7-Eleven breach dataset. The breach was added to the service on May 24, 2026.
  2. Monitor for targeted phishing and fraud. With names, dates of birth, phone numbers, addresses, and emails exposed together, attackers can craft highly convincing spearphishing messages. Be suspicious of any unsolicited contact claiming to be from 7-Eleven, financial institutions, or government agencies referencing your personal details.
  3. Place a fraud alert or credit freeze if your government ID was exposed. Individuals notified that their Social Security number or driver’s licence was included in the breach should contact the major credit bureaus in Canada (Equifax Canada and TransUnion Canada) immediately to place a fraud alert or request a security freeze.
  4. Audit your Salesforce environment if you use the platform. Review guest user permissions, external access configurations, and connected app authorizations. Do not wait for an incident to validate that your access controls are properly scoped.
  5. Do not pay if you receive a ShinyHunters extortion message. The FBI explicitly advises against payment. Report any extortion contact to the Canadian Anti-Fraud Centre (CAFC) at antifraudcentre-centreantifraude.ca and to your local RCMP detachment.
  6. File a complaint with the OPC if you believe your rights under PIPEDA have been violated. If you are a Canadian affected by this breach and have not received notification, you can contact the Office of the Privacy Commissioner of Canada at priv.gc.ca.
  7. Brief your IT and security team on the Salesforce misconfiguration pattern. The ShinyHunters campaign is actively exploiting the same access control weakness across multiple organizations. A prompt internal review could prevent your organization from becoming the next target.

Leave a Comment