Zara, Carnival, 7-Eleven hit by ShinyHunters, 9M+ records at risk in “pay or leak” warning
Zara, Carnival, and 7-Eleven are the latest brands named by ShinyHunters on Friday, with the ransomware gang threatening to dump more than 9 million records of sensitive PII and internal data unless the companies pay up by an April 21st deadline.
-
Zara, Carnival, and 7-Eleven have all landed on ShinyHunters’ latest “pay or leak” warning list with an April 21st ransom deadline.
-
Zara and 7-Eleven tie into larger known breach patterns, with Zara linked to the Anodot-Snowflake wave and 7-Eleven pulled into the group’s Salesforce-focused access campaign.
-
Carnival broadens the story beyond retail, showing ShinyHunters is still targeting major brands across multiple industries.
The three brands first appeared on the gang’s dark leak site early Friday alongside half a dozen other global firms, including Medtronic, Pitney Bowes, and The Canadian Life Assurance Company – but more on those later.
“This is a final warning to reach out by 21 Apr 2026 before we leak along with several annoying (digital) problems that'll come your way. Make the right decision, don't be the next headline,” ShinyHunters posted in all nine victim entries.
Ransomware groups commonly threaten their victims before releasing stolen data in hopes of pressuring them to fork over a ransom. Furthermore, data leaks involving personally identifiable information (PII) are likely to be exploited for identity theft and future phishing attacks, while business leaks can expose company secrets and lead to reputational damage, legal action, and regulatory fines.
“When PII is involved, there's always a chance of social engineering attacks. The impact depends on whether the data in question belongs to the company employees or customers,” the Cybernews research team says.
Zara leads with Snowflake-fueled leak threat
With more than 2,220 stores worldwide and a robust online presence, Zara is just one of the major clothing and home brands owned by Inditex, the world’s largest fast-fashion retailer, both headquartered in Arteixo, Spain.
ShinyHunters claims to have breached Zara's networks through a previous compromise of the Israeli AI analytics firm Anodot as part of an attack wave earlier this month targeting Snowflake customers.
“Your Bigquery instances data was compromised thanks to Anodot.com. Pay or Leak,” the group wrote in the Zara entry.
On Thursday, Inditex put out a statement saying it had “detected unauthorized access to the group's databases,” reported Economia Digital Galicia, a Spanish business newspaper.
And although Inditex did not name Anodot directly, it alluded to the incident stemming from an attack on “a former technology provider that has affected several companies with international operations.”
The fashion powerhouse said it immediately applied security protocols to contain the attack, noting that “names, surnames, telephone numbers, addresses, passwords, bank cards, or other payment methods were not exposed.”
In the April 6th Anodot attack, the ransomware gang was said to have used stolen authentication tokens from the “SaaS integration provider” to access the sensitive data of multiple companies, with the majority of activity targeting victims' Snowflake cloud environments.
It's an attack playbook that ShinyHunters has repeatedly used before, including in this week’s breach of Rockstar Games, alongside a 7.5 GB dump of the Grand Theft Auto maker's internal data.
That leak was also said to have included 2.4 million Rockstar customer support tickets, revealing game issues and timestamps.
7-Eleven pulled into Salesforce-linked breach
In comparison, ShinyHunters says it broke into 7-Eleven systems via its Salesforce environment, another well-known breach method tied to the group.
Businesses often use Salesforce, a Customer Relationship Management (CRM) platform, for customer service, marketing automation, and data analytics.
“Over 600k Salesforce records containing PII and other internal corporate data have been compromised,” the group noted on its leak site, without providing any file samples.
The savvy hacker group launched a highly successful IT worker vishing campaign last year, gaining access to the Salesforce records of an alleged 700 high-profile companies, most of which are now listed on ShinyHunters' notorious blog, including Google, FedEx, UPS, Toyota, Stellantis, Adidas, Disney, Home Depot, and more.
Headquartered out of Irving, Texas, the grab-n-go retailer touts just under 13,000 franchise stores across the US and Canada, and more than 85,000 7-Eleven stores worldwide as of April 2026, according to ScrapeHero.
As of 2025, the nearly 100-year-old American-founded convenience store chain is now a wholly owned subsidiary of the Tokyo-based Seven & i Holdings.
Besides 7-Eleven, other Salesforce victims listed on the ransomware leak site Friday include:
- The Canada Life Assurance Company – insurance and financial services company, 5.6M Salesforce records containing PII
- Pitney Bowes Inc. – global ecommerce shipping, 25M Salesforce records containing PII
- Marcus & Millichap, Inc. – commercial real estate brokerage, 30M Salesforce records containing PII, internal corporate data
- Aman Resorts – ultra-luxury hospitality brand, 500k Salesforce records containing PII
On April 15th, ShinyHunters leaked millions of Salesforce records linked to another handful of victims, apparently as payback for also refusing to negotiate with the cut-throat extortionists.
Those leak victims included the National Railroad Passenger Corporation – otherwise known as Amtrak – and 9.4M Salesforce records chock-full of PII and internal data; the Kemper Corporation, with over 13 million Salesforce records of PII and internal data; and finally, 40M Salesforce records of PII from the education content platform McGraw-Hill.
The companies are accused of “failing to reach an agreement with us despite our incredible patience, all the chances and offers we made. They don't care,” ShinyHunters posted on their entries.
Check if your data has been leaked
Carnival joins widening ShinyHunters "pay or leak" list
The final member of the victimized ShinyHunters trio is the Carnival Corporation, the parent company behind the popular Carnival Cruise Line.
The group claims to have exfiltrated “over 8.7M records containing PII and other terabytes of internal corporate data” from Carnival’s home networks.
With an annual revenue of over $26 billion recorded in 2024, the Carnival Corporation served over 13.5 million guests that same year, accounting for nearly 40% of the worldwide cruise market, according to the company website.
Carnival also boasts a massive workforce of over 160,000 team members and often has over 300,000 guests and crew members on board its ships at any given time, the company said. Again, a massive amount of PII for cybercriminals to use for nefarious purposes.
Active since 2020, ShinyHunters is a well-known cybercrime and extortion group, previously linked to multiple high-profile data theft campaigns, including the recent Okta vishing campaign targeting single sign-on (SSO) credentials.
Also on Thursday, ShinyHunters decided to dump 2.5 million records on the dark web after Alert 360, a leading US home security provider, allegedly refused to pay a ransom demand.
In just the past several weeks, the group has claimed attacks on Hims & Hers, Hallmark, the European Commission, and Ameriprise Financial.
On June 25th, 2025, French authorities announced the arrest of four alleged members of ShinyHunters across multiple regions of France.
Unlock more exclusive Cybernews content on YouTube.
