The ShinyHunters extortion gang stole the personal information of over 183,000 people after hacking the systems of convenience store chain giant 7-Eleven in April, according to data breach notification service Have I Been Pwned.
Founded in 1927, 7-Eleven now operates, franchises, and licenses more than 86,000 stores worldwide, including 13,000 stores in the U.S. and Canada. 7-Eleven also operates and franchises Speedway, Stripes, Laredo Taco Company, and Raise the Roost Chicken and Biscuits locations, and its 7Rewards and Speedy Rewards loyalty programs also have over 100 million members.
The company revealed in data breach notification letters sent to affected customers on May 1 that attackers stole the data of an undisclosed number of individuals after gaining access to some 7-Eleven systems in early April.
“We recently discovered that on April 8, 2026, an unauthorized third party gained access to certain 7-Eleven systems used to store franchisee documents,” 7-Eleven said.
While 7-Eleven has not attributed the attack to a specific hacking group or threat actor and has not shared further details on the incident, the ShinyHunters extortion gang claimed responsibility for the attack on April 17.
The cybercriminals claimed to have stolen over 600,000 records containing corporate data and personally identifiable information after breaching 7-Eleven’s Salesforce environment. They then leaked a 9.4GB archive of documents on their dark web leak site after the company refused to pay a ransom to have the stolen data returned and destroyed.
Although a 7-Eleven spokesperson didn’t reply when BleepingComputer reached out to confirm ShinyHunters’ claims and share the number of affected individuals, Have I Been Pwned analyzed the data leaked by the cybercrime group and said the breach exposed the data of 185,300 people, including names, dates of birth, unique email addresses, phone numbers, and physical addresses.
“The incident exposed 185k unique email addresses, along with names, physical addresses, dates of birth and phone numbers. A small number of records also contained additional exposed data fields,” it said. “The company later advised the breach was limited to ‘certain 7-Eleven systems used to store franchisee documents,’ a statement consistent with the exposed data.”
7-Eleven Denmark also confirmed it was the victim of a ransomware attack in August 2022, after the attackers encrypted some of its systems and forced the chain to shut down 175 stores.
ShinyHunters has been targeting Salesforce customers for the past year and breached hundreds of companies, claiming they’ve stolen billions of records in the Salesforce Aura data theft attacks and the Salesloft Drift campaign.
Other breaches recently claimed by ShinyHunters include the European Commission, video service Vimeo, Spanish fast-fashion retailers Zara and MANGO, edtech giant McGraw-Hill, home security giant ADT, medical device maker Medtronic, PornHub, Rockstar Games, online dating giant Match Group, as well as tech giants Cisco and Google.
Two weeks ago, the FBI advised ShinyHunters’ victims not to give in to the threat actors’ demands, after previously warning that paying ransoms does not guarantee that threat actors won’t attempt to sell the stolen data to other cybercriminals or extort the victims again.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
