ShinyHunters Confirms 600K-Record Salesforce Exfiltration from 7-Eleven; 9.4GB Archive Leaked After Ransom Refusal — Part of Ongoing SaaS CRM Campaign Hitting Dozens of Enterprises

7-Eleven confirmed a breach first flagged by ShinyHunters on April 17, with attackers exfiltrating 600,000+ Salesforce CRM records containing franchise applicant PII — including names, SSNs, driver's licenses, and addresses — after gaining access on April 8 via phishing, OAuth abuse, or misconfiguration (not a Salesforce platform flaw). After 7-Eleven declined ransom payment, ShinyHunters published a 9.4GB archive on their Tor leak site; the FBI has issued guidance urging all ShinyHunters victims not to pay. This breach is part of a sustained high-tempo campaign by ShinyHunters/Coinbase Cartel targeting Salesforce environments at scale — confirmed victims also include Instructure (275M records, 9,000 schools), McGraw-Hill, Medtronic, Vimeo, and the European Commission. Organizations relying on cloud-hosted SaaS CRM platforms must audit OAuth grants, third-party integration scopes, and Salesforce Connected App permissions immediately.

After 7-Eleven declined ransom payment, ShinyHunters published a 9.4GB archive on their Tor leak site; the FBI has issued guidance urging all ShinyHunters victims not to pay.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the high severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.