7-Eleven, the world's largest convenience store chain, has confirmed a data breach after the ShinyHunters hacker group claimed to have stolen information from its systems. According to a notification filed with the Maine Attorney General's Office, the intrusion involved a 7-Eleven system used to store franchisee documents, exposing personal information collected during franchise applications. ShinyHunters listed the company on its leak site on April 17, claiming to have exfiltrated more than 600,000 Salesforce records containing both personal and corporate data, and threatened to release the trove unless a ransom was paid by April 21 — later offering the data for sale at $250,000 on a hacker forum.

This incident is part of a much broader ShinyHunters campaign that has targeted Salesforce instances across major enterprises since mid-2025, with recent victims including Infrastructure, Vimeo, Wynn Resorts, Vercel, and Medtronic. This pattern highlights a growing blind spot in enterprise security: SaaS and third-party integration risk. Traditional approaches often fail to capture the full attack chain — credential theft, anomalous API calls, and large-scale data exfiltration via legitimate integrations — because the relevant signals are spread across identity providers, SaaS audit logs, network traffic, and endpoint telemetry that rarely live in the same analytical plane.

Defending against SaaS-targeted data theft requires unified visibility that correlates identity events, network flows, packet-level evidence, DNS activity, and SaaS API logs in a single platform with AI-driven behavioral analytics. Detection capabilities should include anomaly detection on OAuth token usage along with forensic-grade packet capture to reconstruct exactly what was accessed and exfiltrated during an incident. Unified cybersecurity and observability platforms like NIKSUN give security teams the cross-domain context needed to catch SaaS data theft campaigns like this one. Read more about this story on our LinkedIn page