Key Findings

• ShinyHunters posted data from Udemy, Zara, and 7-Eleven on dark web leak sites between April 22-27, 2026

• Udemy breach contains 2.3 GB including 1.4 million Salesforce records with personally identifiable information

• 7-Eleven breach involves 12.8 GB with over 600,000 Salesforce records

• Zara breach claims 192 GB from BigQuery instances, linked to third-party service Anodot

• All three companies allegedly ignored negotiation attempts before data was released

• None of the companies have publicly confirmed the breaches as of writing

• ShinyHunters claims responsibility for breaching around 400 Salesforce targets, with 42 organizations having data published so far

Background

ShinyHunters is a hacker group known for targeting cloud services and third-party integrations. The group focuses on Salesforce environments and analytics platforms like Anodot, exploiting the interconnected nature of these systems to gain broader access. When data is obtained, the group either offers it privately or publishes it on their leak site with statements claiming failed negotiations with targets. This latest activity continues their established pattern of targeting large volumes of user and business data stored in databases, CRM platforms, and internal tools.

Udemy Data Breach

Udemy, the online learning marketplace, faces exposure of 2.3 GB of data according to ShinyHunters. The breach includes more than 1.4 million records pulled directly from Salesforce. The exposed data contains personally identifiable information alongside internal corporate records. The group's listing uses language consistent with their other posts, claiming the company ignored repeated attempts to reach a negotiated settlement before the data went public.

7-Eleven Data Breach

The world's largest convenience store chain is among the targets, with ShinyHunters claiming 12.8 GB of stolen data. The breach includes over 600,000 Salesforce records containing both personal data and internal business information. The listing follows the same pattern as the other breaches, with the group repeating their assertion that failed negotiations led to the public release. The clearer breakdown in this listing provides more specifics about the dataset composition.

Zara Data Breach

Zara, the major Spanish fast-fashion retailer owned by Inditex, faces a larger breach with distinct characteristics. The group claims 192 GB of data taken from BigQuery instances, with specific mention of Anodot as the entry point. This suggests the breach stemmed from a third-party compromise rather than direct access to Zara's infrastructure. The listing directly references an earlier Anodot incident also connected to the Rockstar Games breach, indicating that access gained through the service may have extended into multiple connected environments. The narrative about missed negotiations appears in this listing as well.

Broader Context and Campaign Scale

The attacks against these three companies fit within ShinyHunters' documented focus on cloud services and third-party integrations. The group has demonstrated a consistent pattern of targeting Salesforce environments and connected platforms where compromising one system creates pathways into others. Historical analysis of the group's activity shows they claim responsibility for around 400 targets in their Salesforce-related campaign. To date, they have published data linked to 42 companies and organizations, including telecom giant Telus, the European Commission, Dutch telecom providers Odido and Ben.nl, SoundCloud, Crunchbase, and Betterment among others.

Sources

• https://hackread.com/shinyhunters-leak-udemy-zara-7-eleven-data-breach/

• https://news.backbox.org/2026/04/27/shinyhunters-leaks-data-of-udemy-zara-7-eleven-in-salesforce-linked-breach/

• https://x.com/HackRead/status/2048814004521336973

• https://www.facebook.com/ImpressComputers/posts/shinyhunters-leaks-data-of-udemy-zara-7-eleven-in-salesforce-linked-breachshinyh/1406050581541885/

• https://www.news4hackers.com/shinyhunters-exposes-sensitive-data-from-udemy-zara-7-eleven-via-salesforce-data-breach/