7-Eleven Confirms Data Breach Linked to ShinyHunters Ransomware Group

Severity: High (Score: 67.5)

Sources: Kavout, Therecord.Media, Cybersecuritydive, Thecyberexpress, www.cstoredive.com

Published: 2026-05-19 · Updated: 2026-05-20

Keywords: eleven, data, breach, personal, information, systems, franchisee

Severity indicators: breach, data breach, personal information

Summary

7-Eleven confirmed a cyberattack that occurred in April 2026, where unauthorized access to its internal systems exposed personal information linked to franchisee applications. The breach was claimed by the ShinyHunters ransomware group, which alleged to have stolen over 600,000 records, including names and addresses. 7-Eleven began notifying affected individuals on May 1, 2026, and is offering 24 months of free credit monitoring services. The company discovered the breach on April 8, 2026, and has since initiated an investigation and remediation efforts. While payment information has not been reported stolen, the breach raises concerns for franchisees and loyalty program members. The extent of the impact on individuals remains undisclosed, and 7-Eleven has not confirmed the total number of affected franchisees. Key Points: • 7-Eleven's systems were breached in April 2026, exposing franchisee application data. • ShinyHunters claimed responsibility, alleging theft of over 600,000 records. • Affected individuals are being offered 24 months of credit monitoring services.

Detailed Analysis

**Impact** The breach affected an unknown number of individuals who submitted personal information during the 7-Eleven franchise application process, including names, addresses, and other undisclosed data elements. Over 600,000 Salesforce records containing personally identifiable information (PII) and internal corporate data were compromised. The incident impacts franchisees primarily across North America, where 7-Eleven operates nearly 13,000 stores, with a global footprint exceeding 85,000 locations. The breach does not appear to have affected general customers or payment information but poses risks of targeted phishing, fraud, and identity theft within the franchise ecosystem. **Technical Details** The attack vector was unauthorized access to 7-Eleven’s Salesforce environment, exploited by the ShinyHunters ransomware group as part of a “pay-or-leak” extortion campaign. The group gained access to systems storing franchisee documents and exfiltrated approximately 9.4 GB of compressed data. No specific malware, CVEs, or additional TTPs were disclosed, but the intrusion aligns with ShinyHunters’ known tactics of leveraging cloud-based SaaS platforms and data leaks to pressure victims. The kill chain stages included initial access, data exfiltration, and public data leak following failed ransom negotiations. **Recommended Response** Organizations using Salesforce or similar cloud platforms should review access controls and audit logs for unauthorized activity, applying the principle of least privilege to franchisee and partner portals. Deploy detection rules for anomalous data access patterns and monitor dark web sources for leaked data related to franchise operations. Affected individuals should be advised to monitor financial accounts, review credit reports, and be vigilant against phishing attempts impersonating 7-Eleven. No specific patches were mentioned; focus should be on incident response, forensic investigation, and enhanced monitoring of franchise system environments.

Source articles (9)

• 7 — Thecyberexpress · 2026-05-19
  7-Eleven has confirmed that its internal systems were breached in April 2026, exposing personal information linked to franchisee application records. The disclosure of 7-Eleven data breach comes weeks…
• 738129 — www.cstoredive.com · 2026-05-20
  Gas Express, which operates 160 locations, reported that some names, social security numbers and driver’s license numbers in its system were compromised. The same day it reported its breach to the Mas…
• 7-Eleven confirms April cyberattack after ShinyHunters leak claims — Cybernews · 2026-05-19
  7-Eleven confirms its internal systems were breached in April, exposing the information of an unknown number of individuals just weeks after the ShinyHunters ransomware group listed the global conveni…
• 7-Eleven Data Breach Exposes Personal Information of Individuals — Claimdepot · 2026-05-18
  7-Eleven Inc. , the American convenience store chain headquartered in Irving, Texas, recently disclosed a data breach after an unauthorized third party accessed company systems that stored franchisee…
• 7-Eleven hit by data breach | C — Cstoredive · 2026-05-20
  The retailer confirmed that an unauthorized third party gained access to certain systems used to store franchisee documents earlier this spring. At least 50 people have been impacted. 7-Eleven’s spoke…
• 7 — Therecord.Media · 2026-05-20
  The breach notification letters say 7-Eleven discovered the breach on April 8 and, after an investigation, determined that the cybercriminals gained access to “certain 7-Eleven systems used to store f…
• 7 — Bleepingcomputer · 2026-05-19
  Convenience store chain giant 7-Eleven confirmed that its systems were breached in a cyberattack claimed by the ShinyHunters extortion group last month. Founded in 1927, 7-Eleven now operates, franchi…
• What are the Immediate Financial Implications for 7 — Kavout · 2026-05-20
  The confirmation of a data breach at 7-Eleven by the notorious ShinyHunters group on May 19, 2026 , following an intrusion detected on April 8, 2026 , immediately triggers a cascade of financial conse…
• 7 — Cybersecuritydive · 2026-05-20
  The retailer confirmed that an unauthorized third party gained access to certain systems used to store franchisee documents earlier this spring. 7-Eleven’s spokesperson said that the convenience retai…

Timeline

• 2026-04-08 — Breach discovered by 7-Eleven: 7-Eleven identified unauthorized access to its systems storing franchisee documents.
• 2026-04-17 — ShinyHunters claims responsibility: The ransomware group announced they had stolen data from 7-Eleven and threatened to leak it.
• 2026-05-01 — Notification letters sent to affected individuals: 7-Eleven began notifying individuals whose data may have been compromised in the breach.
• 2026-05-15 — Notice of Security Incident filed: 7-Eleven filed a notice with the Maine Attorney General's Office regarding the breach.
• 2026-05-20 — 7-Eleven offers credit monitoring services: The company is providing 24 months of complimentary identity theft protection to affected individuals.

Related entities

• ShinyHunters (Apt Group)
• Data Breach (Attack Type)
• Phishing (Attack Type)
• Ransomware (Attack Type)
• Pay-or-leak (Campaign)
• Salesforce Aura Data Theft Attacks (Campaign)
• Salesloft Drift Campaign (Campaign)
• Trinity Of Chaos (Campaign)
• 7-Eleven (Company)
• 7-Eleven Denmark (Company)
• ADT (Company)
• Alert 360 (Company)
• Ameriprise Financial (Company)
• Amtrak (Company)
• Carnival (Company)
• Cisco (Company)
• European Commission (Company)
• Flagstar Bank (Company)
• Google (Company)
• Harvard University (Company)
• Hims & Hers (Company)
• Instructure (Company)
• LA Financial Federal Credit Union (Company)
• Match Group (Company)
• McGraw-Hill (Company)
• Medtronic (Company)
• Pitney Bowes (Company)
• PornHub (Company)
• Rockstar Games (Company)
• Wynn Resorts (Company)
• Zara (Company)
• Salesforce (Company)
• Snowflake (Company)
• Vimeo (Platform)
• Canada (Country)
• Denmark (Country)
• Japan (Country)
• CWE-200 - Exposure of Sensitive Information (Cwe)
• 7-11.com (Domain)
• identitytheft.gov (Domain)
• [email protected] (Email)
• Finance (Industry)
• Retail (Industry)
• Technology (Industry)
• T1041 - Exfiltration Over C2 Channel (Mitre Attack)
• T1486 - Data Encrypted for Impact (Mitre Attack)
• T1566 - Phishing (Mitre Attack)
• T1567 - Exfiltration Over Web Service (Mitre Attack)
• Salesloft (Tool)