ShinyHunters posted a listing on June 15 claiming to have exfiltrated 61 million records from Sysco Corporation’s Salesforce CRM environment and set a June 18 deadline for the food distribution company to respond. The group stated that if Sysco does not reply before the deadline, it will publish the data or offer it for sale to a third party. Sysco has not confirmed or denied the claim.
ShinyHunters’ Sysco Claim: 61 Million CRM Records Including Proprietary Pricing Schedules
The listing was observed by threat intelligence monitoring service Ransomware.live. According to the posting, the exfiltrated data spans multiple years and includes customer account records, restaurant operator contact information, sales representative assignments, proprietary pricing schedules, and purchasing history. ShinyHunters provided a sample file as proof, which appeared to contain actual Sysco customer account identifiers, revenue figures, and contact records.
Sysco is one of the world’s largest food distribution companies, supplying restaurants, healthcare facilities, and hospitality businesses across North America and internationally. The categories of data described in the ShinyHunters listing — pricing schedules, purchasing histories, and customer account details — represent commercially sensitive operational information at the core of Sysco’s customer relationships, extending to the restaurant and hospitality businesses Sysco serves as downstream clients.
ShinyHunters’ Claimed OAuth Token Methodology and Prior Salesforce-Adjacent Listings
ShinyHunters’ typical claimed access methodology for Salesforce-environment intrusions involves harvesting Salesforce connected-app OAuth tokens from public code repositories or compromised developer machines, rather than exploiting a vulnerability in Salesforce’s platform directly. The group has made similar claims previously, including a posting involving records from Baker Distributing and a separate claim of 297 gigabytes of data described as a Council of Europe exfiltration — the latter posted the same day as the Sysco listing. The sell-or-publish deadline structure is consistent across multiple ShinyHunters listings. No independent verification of the Sysco sample data has been publicly reported.
Sysco’s Scale and What a Confirmed Breach of 61 Million CRM Records Would Mean
A confirmed exfiltration of 61 million records from Sysco’s Salesforce CRM environment would represent one of the largest Salesforce-environment breaches publicly disclosed in 2026. Because Sysco’s CRM contains commercial data across its full customer base — including pricing agreements, purchasing histories, and operator contacts — a confirmed breach would expose data belonging to the restaurant, healthcare, and hospitality businesses Sysco serves, not only Sysco itself.
Sysco’s reach across North America and internationally means the claimed dataset, if real, would span customers across multiple industries and geographies. The sample file ShinyHunters provided contained what appeared to be specific business identifiers and revenue figures, rather than generic or synthetic records, though no independent forensic analysis of the sample has been publicly disclosed.
Sysco’s Prior Breach History and Its Silence on the ShinyHunters Claim
Sysco disclosed a prior cybersecurity incident in which business data was exfiltrated. That incident was attributed to different threat actors than ShinyHunters. Sysco has not issued any public statement confirming or denying the current ShinyHunters claim, and whether the company is actively investigating the listing has not been confirmed publicly.
The ShinyHunters claim remains unverified at time of publication. The group’s history of posting claims with short deadlines and sample files does not, by itself, confirm data was obtained in the manner described.
ShinyHunters’ Sell-or-Publish Threat and Downstream Customer Exposure Risk
The deadline ShinyHunters imposed creates time pressure not only on Sysco’s internal incident response process but also on the downstream restaurant, healthcare, and hospitality customers whose account details, pricing data, and purchasing records may be included in the claimed dataset. If the group follows through on its stated threat and publishes or sells the data, that information would move to third parties before Sysco has publicly confirmed whether a breach occurred.
Sysco’s customer base spans restaurants, healthcare operators, and hospitality businesses supplied across North America and internationally, meaning a confirmed breach of the claimed scope could affect a broad range of organizations that have no direct visibility into Sysco’s security posture.
