7-Eleven has become the latest major retail brand linked to a data breach, with more than 185,000 people’s personal information exposed after hackers accessed company systems used to store franchisee documents.
Breach notification service Have I Been Pwned said the incident affected over 185,000 people, exposing names, dates of birth, physical addresses, phone numbers, and email addresses. The ShinyHunters extortion gang claimed responsibility for stealing the data after breaching 7-Eleven in April.
Hackers accessed franchisee document systems
The breach was first disclosed in notification letters sent to affected individuals on May 1, 2026.
BleepingComputer reported that 7-Eleven told affected customers an unauthorized third party gained access to certain company systems on April 8, 2026, specifically systems used to store franchisee documents.
TechCrunch also reported that a listing with the Maine Attorney General’s Office said 7-Eleven Chief Information Security Officer Jim Kastle stated that hackers accessed an internal server containing franchisee documents.
The company has not publicly attributed the incident to a specific hacking group. However, BleepingComputer said ShinyHunters claimed responsibility on April 17, saying it stole more than 600,000 records containing corporate data and personally identifiable information after allegedly breaching 7-Eleven’s Salesforce environment.
Names, addresses, birth dates, and contact details exposed
The exposed information includes data that can be useful for identity theft, phishing, and targeted scams.
TechCrunch reported that Have I Been Pwned said the breach included names, dates of birth, physical addresses, phone numbers, and email addresses. Have I Been Pwned analyzed the leaked data and said the incident exposed 185,300 people, including names, dates of birth, unique email addresses, phone numbers, and physical addresses.
Have I Been Pwned said that a small number of records contained additional exposed data fields. A separate listing with the Massachusetts Attorney General’s Office said the breach also included Social Security numbers and driver’s licenses.
ShinyHunters claimed an extortion attack
The incident appears to have involved attempted extortion.
Have I Been Pwned described 7-Eleven as the victim of a hack-and-extortion attack, with ShinyHunters claiming it would publish the data if it was not paid. The group later leaked a 9.4GB archive of documents on its dark web leak site after the company allegedly refused to pay a ransom to have the stolen data returned and destroyed.
7-Eleven did not respond when asked to confirm ShinyHunters’ claims or provide the number of affected individuals. The company also did not share more technical details about how the attackers gained access.
A major retailer with a large customer base
The breach is notable because of 7-Eleven’s size.
7-Eleven was founded in 1927 and now operates, franchises, and licenses more than 86,000 stores worldwide, including 13,000 stores in the U.S. and Canada. The company also operates and franchises Speedway, Stripes, Laredo Taco Company, and Raise the Roost Chicken and Biscuits, while its 7Rewards and Speedy Rewards programs have more than 100 million members.
That scale makes any data incident involving the company especially sensitive, even if the disclosed breach was tied to franchisee document systems rather than customer loyalty systems.
Personal data could fuel scams
For affected people, the main risk is not just that their information was exposed. It is that names, emails, phone numbers, addresses, and birth dates can be combined to make scams more convincing.
Attackers can use those details to impersonate companies, send phishing messages, attempt account recovery fraud, or pressure victims with targeted social engineering. If Social Security numbers or driver’s licenses were included for some individuals, those people may face greater identity theft risk.
The 7-Eleven breach shows how a single compromised internal system can expose sensitive personal information and create long-term risks for victims.
Even when payment data is not mentioned, personal details can still be valuable to cybercriminals looking to build believable scams or resell information in underground markets.
