7-Eleven Just Confirmed ShinyHunters Walked Out With 600,000 Records Through Salesforce—And the People Affected Were Trying to Own a Store, Not Buy a Slurpee

What Happened

On May 19, 2026, BleepingComputer reported that 7-Eleven had filed a breach notification with state regulators on May 16 confirming what ShinyHunters had been claiming since April. The convenience store giant's Salesforce environment was breached on April 8. The intruders walked out with what ShinyHunters describes as 600,000 records, packaged as a 9.4 gigabyte archive that is now sitting on the gang's leak site.

The data is from a Salesforce instance 7-Eleven used to store franchisee documents. So the records do not contain a single Slurpee customer or a single delivery app user. The people whose data is in that archive are the ones who applied to operate a 7-Eleven store, and the personal information they handed over to do it is exactly what you would expect: names, driver's licenses, Social Security numbers, and home addresses.

The Salesforce Pattern

7-Eleven is the latest entry in a list ShinyHunters has been building for almost a year. The same gang has hit Salesforce instances belonging to Google, Cisco, Instructure, Vimeo, McGraw-Hill, Hallmark, Pitney Bowes, Canada Life, Cushman & Wakefield, Zara, Carnival, Mytheresa, and Udemy. The pattern is so consistent that "ShinyHunters Salesforce breach" has become its own category in 2026 breach reporting.

The vector almost always starts with phone based social engineering, voice phishing, or OAuth consent grants targeted at sales or support staff who have legitimate Salesforce access. Once the gang has a session in the CRM, they query the entire object schema, dump every record they can read, and copy the contents to attacker controlled infrastructure. From there it is a negotiation: pay us or it goes on the leak site.

7-Eleven refused to pay. ShinyHunters' announcement, in the gang's typical post extortion prose, complained that "the company failed to reach an agreement with us despite our incredible patience."

What's in the Archive

The 9.4 gigabyte dump is small by ShinyHunters standards, but the per record sensitivity is unusually high. A franchise application is one of the most data dense forms a person fills out in a commercial context. The applicant has to prove they are a real human being with verifiable identity, prove they can pay the franchise fee, and prove they have no disqualifying criminal or financial history. So the document set typically includes:

• Full legal name and any aliases.
• Social Security number for the credit check.
• A scan or photo of the driver's license or passport.
• Date of birth.
• Home address and a multi year address history.
• Spouse and dependent details where the application is joint.
• Bank account statements and tax returns covering the financial qualification.
• Background check authorizations and the resulting reports.

7-Eleven has only confirmed that names, driver's licenses, Social Security numbers, and addresses were exposed. The other categories are likely there too. The company has not disclosed the total number of affected individuals, only that two Maine residents were impacted (Maine's notification law triggers at one). The 600,000 record claim is ShinyHunters' number.

The Timeline Gap

The dates in the public record paint an uncomfortable picture:

• April 8 — Unauthorized access to the Salesforce environment.
• April 17 — ShinyHunters publicly claims the breach.
• May 1 — 7-Eleven sends breach notifications to affected individuals.
• May 16 — 7-Eleven files the breach with state regulators.
• May 19 — The leak archive is sitting on ShinyHunters' dark web site.

Five weeks elapsed between the day the intruders got in and the day affected applicants received a letter. For someone whose Social Security number was in that archive, five weeks is plenty of time for the first round of synthetic identity fraud to happen. The breach notification framework treats this as compliance with state law. The franchisees whose data was stolen would probably describe it differently.

Why Franchise Applications Are the Worst Kind of Data to Lose

Most retail breaches expose loyalty program emails and partial payment card numbers. The card numbers are tokenized, the cards get reissued, and the email addresses end up on a phishing list that was already 80 percent there. The damage is real but it is also bounded.

Franchise applications are different because the data is identity grade. A Social Security number cannot be reissued. A driver's license can be reissued, but only at the cost of changing every record that lives downstream of it. A multi year address history is a goldmine for the synthetic identity techniques fraudsters use to open new credit lines—the kind of fraud that takes years to unwind and only surfaces when the victim tries to refinance a mortgage and discovers an account they never opened.

For the would be franchisees, the breach is also a breach of their email. Franchise applications generate dozens of inbound and outbound messages: from corporate, from financing partners, from real estate brokers, from background check vendors. All of that correspondence sat in the same CRM. When attackers exfiltrate from a Salesforce object, the related email and document attachments come along. The applicants now have to assume that every conversation they had with 7-Eleven's franchise team is in the leak.

If You Applied to Run a 7-Eleven Store

The breach notification only goes to people 7-Eleven can identify as affected. If you ever submitted a franchise application or any related document to 7-Eleven, assume you may be in the leak whether or not you got a letter. Practical steps:

• Freeze your credit at all three bureaus. A freeze is free and reversible. It prevents new accounts from being opened in your name without explicit unfreezing.
• Sign up for the credit monitoring 7-Eleven offered in the notification letter. It is not enough on its own but it gives you a faster signal when something does happen.
• Watch your email for follow on phishing. Attackers who hold a copy of your franchise application know enough about your finances and address history to send extremely convincing impersonation emails. Treat any unexpected message that references your application as hostile by default.
• File an IRS Identity Protection PIN. The IP PIN program stops anyone from filing a tax return in your name without the PIN, which is the single highest leverage tax fraud mitigation available to private citizens.
• Document everything. If fraud surfaces later, the dated breach notification is your starting point for disputes with creditors.

The Lesson for Everyone Else

The 7-Eleven breach is not a story about 7-Eleven. It is a story about Salesforce. The CRM has become the universal repository for "everything we know about people who are not yet customers but might become customers." Sales pipelines, partner applications, vendor onboarding, support tickets, and franchise inquiries all flow into the same platform. The platform's strength is also its weakness: a single compromised session can read all of it.

ShinyHunters has been demonstrating this for twelve months across dozens of victims. Most of those victims had MFA enabled. Most of them had a SOC. The breaches happened anyway, because the attackers stopped trying to break the security perimeter and started calling the help desk instead. The MFA push got approved. The OAuth consent got granted. The session was legitimate. Everything that came next was a query the user was technically authorized to run.

7-Eleven will not be the last name on this list. Until enterprises start enforcing geofencing, conditional access, and behavioral analytics on CRM queries, the leak site is going to keep updating. The franchisees, applicants, and customers whose data sits inside those CRMs are the ones paying for the gap.