Weeks after being named by the Qilin ransomware gang, Sysco, the world’s largest food distributor, is facing yet another extortion threat – this time from the notorious ShinyHunters, which claims to have stolen more than 61 million Salesforce records.

61 million Salesforce records targeted

Posting the Houston, Texas-based “Systems and Services Company” on its victim blog, ShinyHunters claims to have compromised “over 61 million Salesforce records across several tables.”

According to the cybercriminal collective, some of the stolen databases contain “customer data/PII, employee data, and other internal corporate data,” although no proof samples accompanied the post.

ShinyHunters has given Sysco Corporation just two days to contact the group before it says it will leak the exfiltrated data on its dark leak site.

“Make the right decision, don't be the next headline,” it wrote.

Why Sysco data matters

Formed in 1969, the Sysco Corporation operates more than 340 distribution facilities worldwide, supplying nearly 500 fresh and frozen food products, culinary supplies, and restaurant equipment to roughly 750,000 locations spanning 10 countries.

If confirmed, a data compromise of this magnitude could have far-reaching effects for Sysco customers across multiple critical sectors.

The food distribution giant supplies restaurants, healthcare and senior living facilities, government agencies (including FEMA and the Red Cross), military installations, schools, hotels, airlines, airports, cruise ships, sports stadiums, casinos, supermarkets, and convenience stores.

Sysco also owns a portfolio of 150 local subsidiaries across 90 countries and has a robust business planning and technology division used by hundreds of customers.

It's also not the first time Sysco has suffered a major breach incident.

In May 2023, a breach notice posted on the Sysco website and filed with the US Securities and Exchange Commission (SEC) revealed the sensitive data of more than 126,000 current and former employees was exposed after an unnamed threat actor gained unauthorized access to its systems.

Believed to have been lurking in Sysco’s systems for at least two months, the compromised information was said to include names, Social Security numbers, account numbers, or similar information.

Second threat in weeks

The hacking claim comes roughly six weeks after the Russian-linked Qilin gang claimed to have infiltrated Sysco’s networks on May 6th.

Qilin, labeled by researchers as the most active ransomware group of 2025, posted three samples with the victim entry – also setting a countdown clock for Sysco to negotiate a ransom payout by May 12th.

Although Qilin did not reveal the amount of data it allegedly siphoned from Sysco servers, it has already made good on its promise to publish the stolen cache by its stated deadline.

The array of samples, which Cybernews was able to view at the time, was dated from 2021 through 2026 and included a formula-based customer product pricing list, a customer delivery invoice, and a Certificate of Resale tax document.

Although atypical for most hacking collectives, unless an affiliate deal has officially been reached, some extortion groups, including ShinyHunters, have been known to work with other cybercriminal groups, capitalizing on each other's time-tested tactics.

Meanwhile, Qilin, a known ransomware-as-a-service (RaaS) gang, allows affiliates to deploy its malware and leverage its negotiation infrastructure in exchange for a cut of ransom payments.

Last year, ShinyHunters, in collaboration with the Scattered Spider ransomware group under the “Scattered Lapsus$ Hunters” brand, was responsible for devastating cyberattacks on British retailer Marks & Spencer and luxury automaker Jaguar Land Rover.

It's unclear whether the two claimed Sysco breaches are connected or if any of the stolen data overlaps.

Cybernews has reached out to Sysco about the latest claim, but has received no response to either the Qilin or ShinyHunters inquiry.

ShinyHunters targets major brands via Salesforce

Active since 2019, ShinyHunters has been steamrolling through the names of hundreds of high-profile corporate victims since last September, most of them attributed to a worldwide campaign exploiting more than 1.5 million records tied to misconfigured Salesforce instances.

The cybercriminals have also kept busy executing their most recent June hacking spree targeting a critical zero-day vulnerability in Oracle PeopleSoft software.

Big names claimed in the past week alone include Madison Square Garden and 26M records, fashion house Ralph Lauren, and the American department store chain JCPenney.

Also appearing on the gang's dark victim blog on Monday were the photography giant Kodak, with ShinyHunters claiming more than 2 million records, as well as Houston City College in Texas, with hundreds of thousands of student records allegedly compromised.

Unlock more exclusive Cybernews content on YouTube.