Hacker working on laptop showing data breach by ransomware gang

Store Chain 7-Eleven Confirms Data Breach Linked to the ShinyHunters Ransomware Gang

American convenience store chain 7-Eleven is notifying individuals of a data breach claimed by the prolific ransomware gang ShinyHunters.

Irving, Texas-based 7-Eleven operates over 86,000 stores worldwide and generates approximately $80 billion in annual revenue.

In early April 2026, the store chain learned that an unauthorized entity had gained access to a document storage system.

“We recently discovered that on April 8, 2026, an unauthorized third party gained access to certain 7-Eleven systems used to store franchisee documents,” the company stated.

7-Eleven confirms data breach

The store chain responded by launching an investigation involving a leading forensics firm to determine the nature of the information stolen and to whom it pertained. The investigation determined that the data breach had leaked personal details.

“Through our investigation, we have determined that documents involved in the incident included the information you provided to us during your franchise application,” the company said.

According to data breach notification letters sent to impacted customers, the incident exposed their names, addresses, and “other data elements,” potentially varying by individual, and may have included Social Security Numbers. The compromised franchise filing system may also have exposed contracts, financial records, and legal documents. Currently, 7-Eleven has notified relevant authorities in Maine, Massachusetts, and Vermont.

However, the company has yet to disclose the number of affected individuals, the attack vector exploited, the identity of the threat actor, or the ransom amount demanded. Nevertheless, the FBI discourages paying the ransom as doing so does not guarantee data recovery and could encourage the ransomware group to target more organizations.

Meanwhile, 7-Eleven is offering 24 months of free identity theft protection services and CyberScan monitoring through IDX. Victims should also monitor their financial statements and credit reports and report any anomalies. They should also consider placing fraud alerts or a security freeze to prevent fraudsters from opening new credit lines.

Store chain 7-Eleven has previously experienced a data breach in its Denmark operation that disrupted 175 stores across the country after an unnamed ransomware gang encrypted its devices.

“This is a visibility problem before it’s anything else,” said Gidi Cohen, CEO & Co-founder, Bonfy.AI. “Organizations accumulate sensitive data faster than they track it. It spreads across CRM platforms, document stores, and franchisee systems, often without clear ownership, often without anyone knowing exactly what’s there. By the time a breach surfaces, the data has already been living somewhere it probably shouldn’t have been for months or years.”

ShinyHunters ransomware gang behind 7-Eleven data breach

The ShinyHunters ransomware gang has taken responsibility for the 7-Eleven data breach. It claims to have stolen over 600,000 Salesforce records containing personal information and corporate data.

“Over 600k Salesforce records containing PII and other internal corporate data have been compromised,” ShinyHunters claimed.

It also leaked 9.4 GB of the stolen data after the company allegedly failed to pay the ransom, despite “all the chances and offers we made,” according to the ransomware gang. Additionally, the group had listed the stolen data for sale on an underground forum for $250,000.

“What stands out in this incident is not just the breach itself, but the target profile,” said Ensar Seker, CISO at SOCRadar. “Franchise ecosystems create a very different risk surface compared to centralized enterprises. Even if customer-facing systems remain unaffected, franchisee portals often contain highly sensitive operational, financial, legal, and identity-related documentation that can be leveraged for fraud, extortion, social engineering, or supply chain pivoting.”

ShinyHunters recently breached the Canvas learning management system (LMS) provider, Instructure, and disrupted its operations. It also exfiltrated approximately 280 million records from faculty, staff, and students across more than 8,000 institutions, online learning platforms, and school districts.

However, Instructure says normal operations have resumed, and it has negotiated with the ransomware gang to prevent the stolen information from leaking online.

The ransomware gang has also victimized Google, Cisco, Vimeo, Zara, Rockstar Games, AT&T, SoundCloud, Ticketmaster, Match Group, Medtronic, McGraw-Hill, Wynn Resorts, and Air France-KLM.

ShinyHunters has demonstrated experience breaching software-as-a-service platforms such as Salesforce and Salesloft, and cloud providers such as Snowflake, resulting in supply chain attacks affecting hundreds of organizations after stealing OAuth tokens.