What happened in the 7-Eleven data breach?

On April 8, 2026, an unauthorized third party gained access to a 7-Eleven system used to store franchisee documents. The personal data of 185,300 people - including names, addresses, emails, dates of birth, and for some individuals Social Security numbers and driver's license information - was stolen. The hacking group ShinyHunters claimed responsibility on April 17 and published the stolen data after 7-Eleven refused to pay a ransom.

How did the hackers get in?

The attackers exploited a misconfiguration in 7-Eleven's Salesforce Experience Cloud portal. The portal's guest user profile - which controls what an unauthenticated visitor can access - was set with overly permissive permissions, allowing anyone on the public internet to query the underlying database without logging in. ShinyHunters used a modified version of the AuraInspector tool, originally built by Mandiant for defenders, to find and extract data from misconfigured portals at scale.

Was this a Salesforce vulnerability?

No. Salesforce has confirmed that this was not a platform vulnerability. The Salesforce software worked as designed. The breach was caused by the customer's configuration of the portal - specifically, granting the guest user account access to data it should not have been able to read. Salesforce called it a customer-configured guest user setting issue, not a security flaw in their product.

Who are ShinyHunters?

ShinyHunters, also tracked as UNC6240 and Bling Libra, is a financially motivated cybercrime group focused on data theft and extortion. Since September 2025, they have claimed to compromise between 300 and 400 organizations using the Salesforce Experience Cloud attack pattern, including ADT, Wynn Resorts, Vimeo, Vercel, Medtronic, Instructure, Rockstar Games, and the cybersecurity company Aura.com. They typically demand ransom payments in exchange for not publishing stolen data and resell unpaid data on underground forums.

How does this affect a small business that does not use Salesforce?

The technical platform is not the point - the configuration pattern is. Every small business has public-facing interfaces that let unauthenticated visitors interact with company data: contact forms, job application portals, customer login pages, shared cloud folders, mailing list signup pages, and so on. Each of those has permission settings that determine what an unauthenticated visitor can see. The mistake that broke 7-Eleven - overly permissive settings on a public-facing interface that nobody reviewed for years - is the same mistake we routinely find on small business systems.

What should a small business do right now?

Five things. First, audit every public-facing form, portal, and share link your business uses. Second, set a quarterly review of those configurations because permissions drift over time. Third, limit what your public systems collect and store - the cheapest data to protect is data you never had. Fourth, write a breach response plan now, before you need one. Fifth, verify your backups would actually restore - daily encrypted off-site backups with quarterly restore testing is the modern standard.

7-Eleven Breach: What 185,000 Stolen Records Mean for You

Cybersecurity

May 29, 2026

The 7-Eleven Breach: What 185,000 Stolen Records Teach Every Small Business About Misconfigured Systems

On May 24, 2026, the breach-notification service Have I Been Pwned added a new entry to its database: 185,300 people whose personal information was stolen from 7-Eleven. The data has been in the wild since April. Names, home addresses, email addresses, and dates of birth — and for a smaller subset, Social Security numbers, driver’s license details, and other government-issued identification. These are not customers of the convenience stores. These are people who applied to become 7-Eleven franchisees, current franchisees, and former franchisees, whose application paperwork sat in a corporate system that turned out to be improperly configured.

The hacking crew behind it is called ShinyHunters. They have spent the last nine months running the same playbook against more than 300 organizations — including ADT, Wynn Resorts, Vimeo, Vercel, Medtronic, Instructure, and, in a moment of pitch-black irony, the cybersecurity firm Aura.com. 7-Eleven is just the latest name to surface publicly. What makes this story worth a small business owner’s attention is not the size of the company that got hit. It is the nature of the mistake that let it happen.

The mistake that opened the door

7-Eleven used a platform called Salesforce Experience Cloud to manage its franchisee application portal. Experience Cloud is the public-facing side of Salesforce — the part that lets prospective franchisees, customers, partners, or vendors submit information through a website without having to log in. When someone visits one of these portals without an account, Salesforce treats them as a “guest user.” Guest users are supposed to have very limited permissions — read this one form, see this public page, submit a contact request, and nothing else.

The problem is that guest user permissions are configured by whoever sets up the portal. And if the person who set it up gave the guest user account too much access — which, by Salesforce’s own admission, is what happened at 7-Eleven and roughly 300 to 400 other organizations — then anyone in the world can query the underlying database and pull out records that were never supposed to be public. No password required. No phishing required. No software vulnerability exploited. The data was, in a meaningful sense, just sitting there.

To find vulnerable sites at scale, ShinyHunters took a tool called AuraInspector — released in January 2026 by Mandiant, the security firm owned by Google — and modified it. AuraInspector was built to help administrators audit their own Salesforce portals for exactly these kinds of misconfigurations. ShinyHunters turned the auditor into a hunting rifle. They scanned the entire public internet for Experience Cloud portals, identified which ones had over-permissive guest users, and extracted the data. The whole process is automated. From the attacker’s perspective, it is the cheapest possible form of breach.

Salesforce has been clear in its public statements: this is not a vulnerability in their platform. The platform is doing exactly what the customer configured it to do. The breach is the configuration.

What ShinyHunters did with the data

The business model is extortion. ShinyHunters extract data from a target, notify the company privately, and demand a ransom in exchange for not publishing the files. 7-Eleven received its demand in mid-April with a deadline of April 21 to pay. The company refused. A week later, ShinyHunters published a 9.4-gigabyte archive of the stolen files on their dark web leak site and listed the same data for sale on a Russian-language hacking forum for $250,000.

The FBI’s guidance to victims of ShinyHunters has been consistent: do not pay. Paying does not guarantee the data is destroyed. It does not prevent the data from being resold. And it confirms to the attackers that the target is willing to pay — which is precisely what attracts the next round of extortion attempts. 7-Eleven followed that guidance. The trade-off is that the data is now public, and 185,300 people are facing years of elevated identity-theft risk.

Why this matters to a small business that has never heard of Salesforce

This is the part where it would be easy to close the tab. “We don’t use Salesforce. We’re a 14-person company. This isn’t us.” Read on, because the pattern that broke 7-Eleven is the same pattern that breaks small businesses every week. The technology changes, but the mistake is identical.

Every small business has guest users, even if you do not call them that. A guest user is anyone who can interact with one of your systems without logging in. The “Apply for a job” form on your website is a guest-user interface. The “Submit a contact request” form is a guest-user interface. The shared Google Drive folder you sent to a vendor last year is a guest-user interface. The QuickBooks Online customer portal where clients can view their invoices, if you have one of those configured, is a guest-user interface. Every one of those touchpoints has a permission boundary that determines what the unauthenticated visitor can see — and every one of them was configured by someone, probably in a hurry, probably without anyone reviewing the security implications.

The cheap, scalable attack is the one that finds your mistake automatically. ShinyHunters did not target 7-Eleven specifically. They scanned every Experience Cloud portal on the internet looking for misconfigured ones. If yours had been on the list, they would have grabbed yours too. This is the threat model that catches small businesses off-guard. You do not have to be important. You only have to be vulnerable, because the attacker’s tooling is reviewing tens of thousands of potential victims an hour, and the cost of pulling your data once they have found you is essentially zero.

The “we are too small to be a target” defense has expired. It made some sense ten years ago, when attacks required individual effort per victim. It does not make sense in 2026. Automated reconnaissance does not care how big you are. It cares whether a configuration on your public-facing systems is loose enough to extract data without authentication. Small businesses are not too small to be hit. They are exactly the right size to be hit and never know it happened, because they do not have the monitoring in place to detect data leaving systems they did not realize were exposed.

The places your small business is probably exposed right now

None of these are hypothetical. We see one or more of them on almost every small-business engagement that involves looking at a client’s existing setup before we are hired to clean it up.

Cloud file shares set to “Anyone with the link can view.” Google Drive, Dropbox, OneDrive, Box. A folder that was shared with one vendor in 2022 is still publicly readable today, sitting in someone’s browser history, indexed by automated tools that crawl shared-link patterns.
Customer portals on your website that show too much. WordPress plugins that build “client area” features routinely default to exposing more data than needed. Quote forms, invoice viewers, support ticket interfaces, member directories. Each one has a permission setting that the installer probably accepted as default.
Email distribution lists and mailing platforms. Mailchimp, Constant Contact, HubSpot. Audience lists with names, emails, and sometimes phone numbers, addresses, or purchase history. Some have public-share features for campaign reports that get turned on once and never turned off.
Old job application data. The 7-Eleven breach is, at its core, a job-application breach. If your business has ever advertised positions through a third-party hiring platform, applicant data is still in that platform’s database with retention rules you probably did not set and do not remember.
QuickBooks Online customer portals. If you have invited customers to view or pay invoices through QBO’s customer-facing portal, the permission boundaries there are also configured by you — and most small business owners have not reviewed them since the day they were set up.
Forgotten subdomains. staging.yourbusiness.com, dev.yourbusiness.com, old-site.yourbusiness.com. Test environments that were never taken down, often with the same data as production and a fraction of the security.

What we recommend, in plain English

The fix is not technically complicated. The fix is making someone responsible for actually looking. Configuration drift — the slow accumulation of permission changes, plugin installs, share links, integrations, and “just temporarily” workarounds — is what kills small businesses. The single most valuable security work we do for clients is the boring, methodical inventory of every system that holds data and every interface that touches it.

Audit every public-facing form, portal, and share link your business uses. Anything that anyone can reach without logging in. List them out. For each one, answer: what data does this expose, who configured it, when was it last reviewed, and who is responsible for it. If you cannot answer those four questions for every public touchpoint of your business, you have the same exposure 7-Eleven had.

Set a quarterly review. Permissions decay. Plugins get updated and reset settings. Employees leave and forget what they shared. New integrations get connected and configured by whoever was in the room that day. Once a quarter, somebody needs to walk through the inventory and verify nothing has drifted. This is exactly the kind of work we cover in our quarterly strategy reviews with managed-IT clients — it is not glamorous, but it is the difference between a quiet year and a 185,000-person breach notification.

Limit what your public-facing systems hold in the first place. The cheapest data to protect is data you do not store. If your job-application form collects Social Security numbers in the first round of contact, ask why. If your contact form requires a full home address to schedule a call, ask why. The 7-Eleven applicant data included SSNs and driver’s licenses because franchise applications require background checks — that is a defensible business reason. Most small businesses do not have a defensible reason for half of what their forms collect.

Have a breach response plan written down before you need it. If your business gets a ransom email tomorrow morning — and small business owners do, several times a week now — what is step one? Who do you call? What do you say to customers? What is your legal obligation to notify under your state’s data breach law? A two-page document covering those questions, written when you are calm, is the cheapest insurance policy you will ever buy.

Make sure backups would actually save you. If ransomware encrypts your systems tomorrow, you have backups — right? When was the last time someone restored from them and verified the restore worked? Daily encrypted off-site backups with quarterly restore testing is the standard. Anything less is hoping.

The harder lesson

The 7-Eleven breach is not interesting because it is unusual. It is interesting because it is so ordinary. A large company set up a portal years ago, the person who configured it left, the configuration was never reviewed, an automated tool scanned the public internet, and 185,300 people are now dealing with the consequences. There is no exotic exploit here. There is no nation-state. There is no insider threat. There is configuration drift that nobody owned and an attacker patient enough to find it.

Every small business has the same exposure structure. The only difference is the size of the data set and the number of people who notice when it gets stolen. If you are not sure where your business stands — whether someone is reviewing your public-facing systems on a regular cadence, whether your share links and portals are configured correctly, whether your data retention is doing more than collecting unnecessary risk — that is the conversation worth having now, before there is a ransom email in your inbox.

Schedule Your Personal Focused Cyber Security Training

Can you Spot a Real Attack?
Take our Free Cyber Instinct Quiz Here

Sources: BleepingComputer, “7-Eleven data breach exposes personal information of 185,000 people,” May 26, 2026. SecurityWeek, “185,000 Likely Impacted by 7-Eleven Data Breach.” Cybernews, “185,000 affected in 7-Eleven data breach linked to ShinyHunters.” Have I Been Pwned breach index, May 24, 2026. Salesforce Cyber Security Operations Center advisory, March 2026. Mandiant Consulting and Varonis Threat Labs analysis on ShinyHunters AuraInspector campaign.