7-Eleven confirms its internal systems were breached in April, exposing the information of an unknown number of individuals just weeks after the ShinyHunters ransomware group listed the global convenience store chain as part of its recent “pay-or-leak” campaign.

The Texas-based retail giant has now begun sending a "Notice of Security Incident" to affected individuals, according to a sample letter filed with the Maine Attorney General's Office on May 15th.

“On behalf of 7-Eleven, Inc., we are writing to inform you about a recent incident that involved personal information about you,” the May 1st document begins.

The company said it discovered the hack on April 8th, when an “unauthorized third party gained access to certain 7-Eleven systems used to store franchisee documents.”

7-Eleven says it immediately launched an investigation in order to assess the affected documents, which it has determined included information provided to the company “during your franchise application.”

This information was said to include name, address, and “other data elements,” which were not revealed in the sample letter.

7-Eleven also stated that it has since “remediated the incident,” apologized to victims for “any inconvenience” it caused, and is offering affected individuals 24 months of free credit monitoring services.

"Until 7-Eleven discloses what data was compromised, it's difficult to give advice on what breach victims should do next, says Paul Bischoff, Consumer Privacy Advocate at Comparitech.

Bischoff says “normal 7-Eleven customers” should have little to worry about, as payment information has not been reported stolen, but he also warns that “employees and possibly loyalty program members could be at risk.”

“Breach victims should be on the lookout for targeted phishing emails from scammers posing as 7-Eleven or a related company," Bischoff said.

Franchise data raises new risks

7-Eleven has nearly 13,000 stores across North America and more than 85,000 worldwide as of April 2026, according to the company's website. About 75% of 7-Eleven stores in the US are franchised, and more than half include fuel stations.

As of 2025, the nearly 100-year-old American-founded convenience store chain is now a wholly owned subsidiary of the Tokyo-based Seven & i Holdings, which also includes Speedway and Stripes convenience store brands acquired in 2021 and 2024, respectively.

Meanwhile, 7-Eleven has not revealed how many individual franchisees may have been impacted in the attack. Cybernews has reached out to the company for clarification, but has not heard back as of publication.

Ensar Seker, CISO at SOCRadar told Cybernews it's not the breach itself that stands out, but the target profile, noting that “franchise ecosystems create a very different risk surface compared to centralized enterprises.”

“Even if customer-facing systems remain unaffected, franchisee portals often contain highly sensitive operational, financial, legal, and identity-related documentation that can be leveraged for fraud, extortion, social engineering, or supply chain pivoting,” Seker explained.

7-Eleven breach linked to Salesforce hack

ShinyHunters says it broke into 7-Eleven systems via its Salesforce environment, listing the company on its dark leak site on April 18th, alongside more than half a dozen recognizable companies, including Zara, Carnival, and Pitney Bowes.

“Over 600k Salesforce records containing PII and other internal corporate data have been compromised,” the group claimed in its 7-Eleven entry, without providing any file samples.

The cybercriminal group gave the grab-and-go retailer until April 21st to negotiate a ransom demand, eventually leaking the alleged 9.4 GB of compressed 7-Eleven records via a download link on April 22nd.

“The company failed to reach an agreement with us despite our incredible patience, all the chances and offers we made. They don't care,” ShinyHunters said, dumping a total of six victims that day.

Seker says ShinyHunters' timing also aligns with a broader trend “in which threat actors focus on organizations with distributed business models, large contractor networks, and decentralized document management environments.”

Seker says in many cases, compromising a document repository or administrative backend can provide more long-term value than deploying disruptive ransomware.

“These Actors are targeting trust relationships, operational data, and partner infrastructures because they understand the downstream impact can be much larger,” Seker said.

ShinyHunters keep piling up victims

ShinyHunters has notoriously targeted more than 700 high-profile victims via Salesforce environments as part of a widespread IT worker vishing campaign that began in 2025, resulting in the theft of billions of records.

Most April victims were linked to larger ShinyHunters’ hacking drives, with the Zara breach tied to an Anodot-Snowflake wave, Pitney Bowes also to the Salesforce campaign, and Carnival to a separate, unrelated attack.

Active since 2020, ShinyHunters is a well-known cybercrime and extortion group, most recently linked to the May 2020 breach of Canvas by Instructure, an online education platform used by roughly 9,000 school districts worldwide, from kindergarten through university level.

Last week, Canvas admitted it had paid ShinyHunters, and its CEO issued a public apology to students and educators after a two-day-long outage across college campuses in North America, preventing thousands of students from completing and submitting coursework and taking final exams.

Other recent victims include major names such as Amtrak, Alert 360, Rockstar Games, Hims & Hers, the European Commission, and Ameriprise Financial.

---

Unlock more exclusive Cybernews content on YouTube.