7-Eleven — misconfigured Salesforce Experience Cloud, ShinyHunters dump

7-Eleven confirmed on 26 May 2026 that an unauthorised third party accessed certain corporate systems on 8 April 2026, exposing the personal information of around 185,000 prospective and current franchise applicants. The dataset involved documents submitted during the US franchise application process — email addresses, names, physical addresses, dates of birth and phone numbers — with a separate Massachusetts attorney-general filing recording that a smaller subset of records also contained Social Security numbers and driver’s licence details.

The intrusion vector was a misconfigured Salesforce Experience Cloud instance rather than the now-familiar ShinyHunters vishing chain. According to ShinyHunters’ own account, the group used AuraInspector, an open-source Lightning Aura auditing tool, to enumerate accessible objects on the public-facing Experience Cloud site and exfiltrate the underlying records. The actors claim to have lifted more than 600,000 Salesforce records in total; the company’s notification figure of ~185,000 reflects only the unique individuals affected, not the raw record count.

ShinyHunters listed 7-Eleven on its extortion portal and set a 21 April 2026 deadline. When 7-Eleven declined to negotiate, the group dumped a 9.4 GB archive of the stolen files publicly. The company’s confirmation came roughly five weeks later, accompanied by individual notifications and AG filings in Massachusetts and other US states.

The 7-Eleven case sits inside the wider ShinyHunters Salesforce campaign already covered via Carnival, Pitney Bowes, Cushman & Wakefield, Medtronic, Vimeo/Anodot, Instructure/Canvas and Charter. The 7-Eleven variant is technically distinct: there is no phished employee account, no identity-provider compromise and no Drift OAuth pivot. The exposure was an internet-facing Salesforce Experience Cloud guest-user misconfiguration — the same class of issue that has driven similar incidents elsewhere across 2024–2026 — enumerated by a publicly available audit tool.

A deep-dive will follow once 7-Eleven’s full state-AG notification picture is collated, the precise data taxonomy is corroborated against the dumped archive, and Salesforce or independent researchers publicly document the specific guest-user configuration the attackers exploited. The early defender lens is that vishing the help-desk is not the only way into a Salesforce CRM — Experience Cloud, Communities and external portals each create a parallel attack surface that does not require a single user to be social-engineered.