ShinyHunters claimed responsibility for breaching 7-Eleven’s Salesforce CRM environment and stealing more than 600,000 records containing personal and corporate data. 7-Eleven confirmed the breach after ShinyHunters issued a ransom demand, making this a confirmed extortion incident against one of the world’s largest convenience store chains with more than 85,000 locations globally. The theft follows a pattern of ShinyHunters attacks targeting cloud-hosted CRM and SaaS platforms rather than on-premises infrastructure.
ShinyHunters’ Salesforce Attack on 7-Eleven: 600,000+ Records Exfiltrated from the CRM
ShinyHunters’ access was to 7-Eleven’s Salesforce CRM environment — a cloud-hosted platform that aggregates customer and business relationship data at scale. The attackers exfiltrated over 600,000 records from that environment before issuing the ransom demand that prompted 7-Eleven’s confirmation.
Salesforce CRM environments are high-value targets because they centralize personally identifiable information, corporate contact records, and transaction histories into a single accessible system. Compromising CRM access in a single attack yields the kind of data volume and variety that previously required breaching multiple backend systems.
What the Stolen 7-Eleven Salesforce Records Contain
The stolen records contain personal data — likely a combination of customer and employee information stored in 7-Eleven’s Salesforce instance. Full field-level details of what was exfiltrated were not disclosed at time of reporting, but the 600,000+ record count from a CRM environment suggests the haul includes contact information, account details, and potentially transaction or loyalty program data.
7-Eleven’s confirmation of the breach came after ShinyHunters publicly announced the theft and issued a ransom demand. The sequence — public claim followed by corporate confirmation — is consistent with extortion operations where the attacker uses the threat of data publication to compel acknowledgment and payment.
ShinyHunters’ Escalating CRM and SaaS Targeting: Ticketmaster, Santander, AT&T, 7-Eleven
ShinyHunters is a prolific threat group with a documented record of high-profile cloud platform breaches. Prior confirmed incidents attributed to the group include Ticketmaster, Santander, and AT&T — all large organizations where the breach involved cloud-hosted data rather than traditional on-premises infrastructure.
The 7-Eleven incident is consistent with this pattern. Rather than attacking perimeter infrastructure or exploiting enterprise network vulnerabilities, ShinyHunters has repeatedly demonstrated the ability to access cloud-hosted data platforms directly. The shift toward CRM and SaaS-hosted data reflects both the migration of sensitive data to cloud platforms and the security gaps that can emerge when access controls on those platforms are insufficiently hardened.
The Coinbase Cartel Link Connecting 7-Eleven and Grafana Breaches in May 2026
ShinyHunters has recently been associated with the Coinbase Cartel threat cluster, which also claimed responsibility for the Grafana source code theft reported separately on May 18, 2026. The overlap between the ShinyHunters and Coinbase Cartel attribution indicates an active, coordinated threat cluster conducting multiple high-profile intrusions in the same period.
The concentration of ShinyHunters and Coinbase Cartel activity in May 2026 — spanning the Grafana source code theft and the 7-Eleven CRM breach — suggests a high-tempo campaign phase for this threat cluster, with organizations using cloud-hosted SaaS platforms as the consistent target type.
