Personal information of 185,000 people exposed after cyberattack on 7-Eleven
Data belonging to about 185,000 people was exposed following a cyberattack on convenience store chain 7-Eleven that was later claimed by the ShinyHunters extortion gang, according to Have I Been Pwned.
The exposed information includes email addresses, names, physical addresses, dates of birth, and phone numbers, while a small number of records also contained additional data fields.
7-Eleven is a convenience store chain with more than 86,000 stores in 19 countries.
On April 8, 2026, the company discovered that an unauthorized third party had gained access to certain 7-Eleven systems.
On May 1, Jim Kastle, CISO at 7-Eleven, confirmed in a notice of security incident that the investigation determined documents involved in the incident contained information individuals had submitted during the franchise application process.
“We take the security of your personal information very seriously and immediately launched an investigation in order to assess the affected documents and bring this to your attention. We also wanted to apologize for any inconvenience this may cause you,” Kastle said.
“We have also arranged for you to enroll in identity theft protection services and CyberScan monitoring through IDX at no cost for up to 24 months.”
7-Eleven did not identify the threat actor behind the incident. ShinyHunters later claimed responsibility for the attack on April 17.
The group alleged that it had stolen more than 600,000 records and later published a 9.4 GB archive of data following what it described as unsuccessful ransom negotiations.
ShinyHunters has been linked to multiple high-profile incidents this year involving ADT, the European Commission, Aura, Rockstar Games, and Udemy, among others.
In early May, Instructure, the company behind the online learning platform Canvas, reached an agreement with the gang to prevent data stolen in a recent breach from being published online.
The FBI later warned organizations and individuals against complying with ShinyHunters’ extortion demands, noting that payment does not guarantee stolen data will be deleted or prevent future extortion attempts.