Cyber Incident Victim: 7-Eleven
Date:
Apr 2026
Location:
United States of America
Summary
7-Eleven experienced a data breach in which attackers accessed an internal server holding franchisee documents and exfiltrated personal information from Salesforce records. The compromised data includes names, addresses, email addresses, dates of birth, phone numbers, and for some individuals Social Security numbers and driver’s license details. The extortion group ShinyHunters claimed responsibility, threatened to publish the data unless a ransom was paid, and later made the information available on a hacking forum. HaveIBeenPwned added the dataset, estimating that over 185,000 individuals were affected. The breach was reported to state attorneys general in Maine and Massachusetts, confirming the scope of the exposed personal data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 8, 2026, attackers gained access to an internal server used by 7‑Eleven to store franchisee documents, according to a statement from the company’s chief information security officer, Jim Kastle, filed with the Maine Attorney General’s Office. The breach was discovered in mid‑April and a formal data‑breach notice was submitted to Maine’s authorities earlier that month, with a separate listing later appearing with the Massachusetts Attorney General’s Office. HaveIBeenPwned added the compromised dataset to its database on May 26, 2026, reporting that the incident likely affects just over 185,000 individuals. The exposed information includes names, physical addresses, email addresses, dates of birth, and phone numbers, with the Massachusetts listing indicating that Social Security numbers and driver’s license numbers were also part of the compromised data for a subset of victims.
The extortion group ShinyHunters claimed responsibility for the intrusion, posting a notice on its leak website in mid‑April that it had stolen approximately 600,000 Salesforce records from 7‑Eleven and demanding a ransom payment by April 21. When the ransom was not paid, the group offered the data for sale on a Russian hacking forum and subsequently published the information online, which allowed HaveIBeenPwned to parse and analyze the leaked records. ShinyHunters stated that it would release the data publicly if its demands were not met, a pattern consistent with its prior attacks on organizations such as Instructure, Vimeo, Wynn Resorts, Vercel, and Medtronic, which it has also claimed via phishing, third‑party integrations, and misconfigurations of Salesforce instances.
The breach impacts roughly 185,300 people, with additional data fields compromised for a small portion of those individuals. 7‑Eleven’s filings with state attorneys general confirm that the attackers accessed franchise‑related servers and that the compromised data spans personal identifiers and, in some cases, government‑issued numbers. HaveIBeenPwned’s listing notes that the stolen data aligns with the company’s description of the incident and includes the specific fields identified in the breach notices. No further details about containment, remediation, or notification to affected individuals are provided in the available sources.