7-Eleven’s May 1 breach notification letters document an April 8 intrusion into systems storing franchisee documents. ShinyHunters claimed responsibility nine days after the breach, demanded ransom, and published a 9.4GB archive when 7-Eleven refused to pay.
Have I Been Pwned’s breach entry analyzed the leaked archive and confirmed 185,300 people’s data was exposed: names, dates of birth, physical addresses, phone numbers, and email addresses. A small subset contained additional data fields 7-Eleven hasn’t described.
ShinyHunters claimed 600,000 records stolen — about three times what HIBP counted. That discrepancy matters. The notification language, “certain 7-Eleven systems used to store franchisee documents,” is narrower than ShinyHunters’ Salesforce framing, and state breach notification statutes turn on what systems were accessed. That gap between claimed and confirmed scope is worth tracking.
ShinyHunters has spent the past year running the Salesforce Aura data theft campaign against hundreds of companies, claiming billions of records stolen. ADT, Medtronic, and the European Commission are all among the group’s recent claimed victims. If your org uses any Salesforce-connected environment, the FBI’s May 15 advisory is worth reviewing before your next vendor access audit.
The August 2022 ransomware attack on 7-Eleven Denmark shut 175 stores. Two hits on the same network in four years suggests the post-2022 root cause review didn’t fully resolve the access control gap.
Worth auditing your Salesforce guest-user ACLs this quarter.
— Rebecca Lauren