ctipilot.ch

7-Eleven confirms ShinyHunters breach of 600K+ Salesforce franchise-application records (campaign same as Instructure / Vimeo / Wynn / Vercel / Medtronic)

incident · item:7-eleven-confirms-shinyhunters-salesforce-breach-600k-recor

Coverage timeline
1
first 2026-05-19 → last 2026-05-19
Briefs
1
1 distinct
Sources cited
5
5 hosts
Sections touched
1
active_threats
Co-occurring entities
3
see Related entities below

Story timeline

  1. 2026-05-19CTI Daily Brief — 2026-05-19
    active_threatsFirst coverage. April 8 2026 intrusion; ShinyHunters listed April 17; Maine AG filing May 1; victim confirmation May 18. Campaign vector is identity-side (Connected App OAuth, phishing, third-party SaaS misconfig), not Salesforce-product.

Where this entity is cited

  • active_threats1

Source distribution

  • maine.gov1 (20%)
  • securityaffairs.com1 (20%)
  • securityweek.com1 (20%)
  • enisa.europa.eu1 (20%)
  • security.paloaltonetworks.com1 (20%)

Related entities

All cited sources (5)

Items in briefs about 7-Eleven confirms ShinyHunters breach of 600K+ Salesforce franchise-application records (campaign same as Instructure / Vimeo / Wynn / Vercel / Medtronic) (1)

7-Eleven confirms ShinyHunters breach of 600,000+ Salesforce franchise-application records — same campaign as Instructure, Vimeo, Wynn Resorts, Vercel, Medtronic

From CTI Daily Brief — 2026-05-19 · published 2026-05-19 · view item permalink →

7-Eleven, Inc. confirmed on 2026-05-18 that an unauthorised third party accessed systems storing franchisee documents on 2026-04-08, in a breach claimed by ShinyHunters on or around 2026-04-17 (SecurityWeek, 2026-05-18; Security Affairs, 2026-05-18). ShinyHunters listed over 600,000 Salesforce CRM records covering personal and corporate data from franchise applications, initially demanding a ransom with a 2026-04-21 deadline and then offering the data for sale at $250,000 on a hacker forum. 7-Eleven filed a Maine Attorney General notification dated 2026-05-01 confirming 24 months of IDX identity-theft protection for affected individuals (Maine AG breach notification, 2026-05-01). The Maine filing lists only 2 Maine residents but the ShinyHunters claim covers 600,000+ records globally. SecurityWeek attributes the broader campaign — Instructure (Canvas), Vimeo, Wynn Resorts (21,000 employees), Vercel and Medtronic among confirmed co-victims — not to Salesforce-product vulnerabilities but to phishing, third-party-integration abuse, and customer-side misconfiguration of Salesforce Connected Apps.

Why it matters to us: ShinyHunters is the same actor that hit Instructure last week, with the broader Salesforce-targeting campaign continuing across sectors. The campaign vector is identity-side rather than Salesforce-product-side — Connected App OAuth grant abuse, phishing of admin sessions, mis-scoped third-party SaaS integrations. EU/CH public-sector and finance tenants using Salesforce for partner / supplier / case-management data should audit Connected App OAuth grants (particularly to third-party AI SaaS integrations), enable Salesforce Event Monitoring with alerts on bulk Report Export events and high-volume SOQL API calls, enforce IP-range / Trusted-IP session policies, and consider Salesforce Shield field-level encryption for PII. T1078.004 (Cloud Accounts), T1530 (Data from Cloud Storage Object), T1567.002 (Exfiltration to Cloud Storage).