Jun 30, 2026 · 5 min read
Sysco Breach: ShinyHunters Dumps 2.7M Emails After Deadline
ShinyHunters claimed 61 million Salesforce records from the world's largest food distributor on June 16, set a 48 hour payment deadline, and published the data when Sysco didn't pay — adding 2,691,852 accounts to HaveIBeenPwned on June 28.
Sysco, which supplies food to roughly 700,000 restaurants, hospitals, and hotels across North America, did not pay. ShinyHunters gave the company a deadline of June 18 to negotiate. When that date passed without a deal, the group published what they claimed were 61 million Salesforce records from Sysco's CRM systems. Ten days later, on June 28, HaveIBeenPwned added 2,691,852 confirmed compromised accounts to its database — employees, vendors, and business customers whose contact data is now circulating freely. It was the second time in roughly six weeks that Sysco's systems had been breached.
Key Takeaways
- ShinyHunters claimed 61 million Salesforce records from Sysco on June 16, 2026, and set a ransom deadline of June 18.
- HaveIBeenPwned added 2,691,852 compromised Sysco accounts to its database on June 28 after Sysco did not pay.
- Exposed data includes email addresses, full names, job titles, phone numbers, physical addresses, internal account IDs, and customer feedback records.
- The Qilin ransomware gang had already claimed a separate breach of Sysco in early May 2026 — making this the company's second publicly claimed attack within two months.
- ShinyHunters used OAuth token exploitation and dormant API credentials inside Salesforce, the same technique used against Kodak, Ralph Lauren, and the Council of Europe.
What Data Did ShinyHunters Steal?
The published dataset is a corporate contact directory at scale. According to TechNadu's analysis, the confirmed fields include:
- 2,691,852 unique email addresses — the figure HIBP confirmed after deduplication
- Full names and job titles, identifying role and seniority within each organization
- Phone numbers, both direct lines and mobile
- Physical mailing addresses, including delivery locations
- Internal Salesforce account IDs linking records to customer accounts
- Customer feedback and support ticket records
This is not consumer data. Sysco's customers are purchasing managers, executive chefs, hospital procurement officers, and hotel supply chain leads. The 2.7 million records represent the professional contact details for the decision makers at hundreds of thousands of food service businesses — a highly targeted B2B dataset that is worth considerably more on criminal forums than an equivalent set of consumer email addresses.
How Did ShinyHunters Get In?
The Sysco breach follows the same playbook ShinyHunters has used across dozens of enterprise targets in 2026: OAuth token exploitation and dormant API credentials inside Salesforce. Mitiga's technical analysis of earlier campaigns documents two primary entry methods.
In the first, ShinyHunters uses voice phishing — calling employees while impersonating IT support — to trick them into authorizing a connected application inside Salesforce's connected apps interface. That authorization generates a persistent OAuth token the attacker controls. In the second, the group scans GitHub repositories and code leaks using tools like TruffleHog to find API keys and OAuth tokens that developers committed accidentally and never revoked. Both methods bypass password based authentication entirely and leave few indicators in standard login monitoring.
Once inside, attackers enumerate the Salesforce object catalog via REST API calls and run sustained looped queries to exfiltrate CRM records at scale. The ShinyHunters Salesforce Aura campaign that hit 400 companies in March 2026 used this exact method; Sysco's breach appears to be a continuation of the same operational pattern.
Why Was Sysco Hit Twice?
The Qilin ransomware gang claimed to have infiltrated Sysco's networks in early May 2026 and listed the company on its dark web leak site with a ransom deadline — a separate attack from an entirely different threat actor. Cybernews confirmed the ShinyHunters claim arrived roughly six weeks after the Qilin posting.
Two separate breach claims from two separate groups within two months is not coincidence — it signals that Sysco's environment had multiple unresolved access issues simultaneously. Qilin typically targets on premise or hybrid infrastructure with ransomware deployment. ShinyHunters targets SaaS CRM platforms via credential abuse. These are different attack surfaces, meaning the remediation steps for one would not have addressed the other. Organizations that discover one intrusion and treat it as an isolated event routinely miss parallel compromises already underway.
What Does 2.7M Corporate Emails Enable?
Corporate contact data is the foundation of business email compromise. A dataset of verified email addresses paired with job titles, company names, and phone numbers gives attackers everything they need to impersonate vendors, fake invoices, and redirect payments. Sysco's customers are businesses that process large purchase orders — the exact target profile for BEC fraud, which the FBI's IC3 reported caused over $2.9 billion in losses in 2023 alone. Source: FBI IC3 2023 Annual Report.
The customer feedback and support ticket records deepen the threat. An attacker who knows that a specific restaurant chain had an unresolved delivery dispute with Sysco in February can open a follow up email referencing that exact issue. The recipient has no way to distinguish that from a legitimate Sysco communication. Spear phishing at this level of specificity defeats employee training, because the email isn't asking anyone to do something unusual — it's appearing to resolve an existing relationship.
This is the same dynamic that made the Kodak ShinyHunters breach dangerous well beyond its headline record count: CRM data doesn't just expose contacts, it exposes context.
Why Email Users Should Care
The 2.7 million accounts in this dataset belong to professionals, not consumers. If your organization does business with Sysco — or if you work in food service, hospitality, or healthcare supply — your work email address may now be part of a criminal targeting list paired with your job title and employer. Check your address at HaveIBeenPwned; HIBP confirmed the Sysco dataset on June 28.
The practical risk is not spam. It's targeted email that arrives in weeks or months referencing your company's actual Sysco account, a real order number, or a genuine support interaction. Stolen CRM data gets weaponized this way: the breach is news on day one, the phishing campaigns built from it run quietly for the following year. Anyone in a procurement, finance, or operations role at a Sysco customer should treat any inbound email claiming to be from Sysco — billing updates, delivery changes, account notices — with heightened scrutiny regardless of how convincing the detail appears.
What to Do Now
For individuals and security teams responding to this breach:
- Check affected addresses at HaveIBeenPwned — the Sysco breach is indexed and searchable as of June 28, 2026.
- Audit Salesforce connected applications and revoke any OAuth tokens that are not actively used — dormant credentials are the primary entry point in this campaign.
- Review Salesforce API access logs for sustained looped queries against the Contact, Account, and Case objects, which indicate systematic exfiltration rather than normal CRM usage.
- Alert finance and procurement staff at organizations with Sysco accounts to flag any inbound Sysco email requesting payment changes, banking updates, or account verification.
- Treat any email referencing a specific Sysco account ID, order history, or support ticket as potentially crafted from this dataset until verified through a known good channel.
For Salesforce administrators specifically: the Help Net Security coverage of the March 2026 Salesforce Aura campaign contains specific detection guidance for the REST API query patterns ShinyHunters uses. The Sysco breach suggests those patterns are still active and undetected in enterprise environments six months into the campaign.