ShinyHunters claims to have stolen more than 61 million Salesforce records from Sysco Corporation — the Houston, Texas–based food distribution giant — and threatened to publish the data after a June 18, 2026 deadline, according to threat-intelligence monitoring and reporting by Cybernews, Daily Security Review, and other outlets.
Sysco has not publicly confirmed the allegation at the time of publication.
Read coverage:
https://dailysecurityreview.com/threat-actors/shinyhunters-claims-61m-sysco-salesforce-records-in-unverified-breach/
What ShinyHunters Claims
The group listed Sysco on its leak site on June 15, 2026, alleging:
- 61+ million records across multiple Salesforce tables
- Customer account data, restaurant operator contacts, and proprietary pricing schedules
- Employee PII and internal corporate records
- A “final warning” to contact the group before public release
Sample files circulated in threat-intelligence channels reportedly contained Sysco customer identifiers and revenue figures — but independent verification of the full dataset has not been completed.

Second Extortion in Weeks
This is Sysco’s second major cyber extortion headline in 2026. The Qilin ransomware group previously listed Sysco with a May 12 deadline, publishing sample documents including customer invoices and tax forms — suggesting prior access to legitimate corporate files.
It remains unclear whether ShinyHunters and Qilin accessed the same environment, resold the same data, or represent separate intrusions. Initial-access brokers sometimes sell network footholds to multiple groups.
Why This Matters for Texas Hospitality
Sysco serves restaurants, healthcare facilities, schools, and hotels across 90+ countries with roughly 76,000 employees. A confirmed Salesforce exfiltration would expose data belonging to Sysco’s customers — not only Sysco itself — including purchasing history and pricing agreements Texas operators rely on for margins.
ShinyHunters has targeted multiple organizations in our April and June 2026 coverage, including Kodak, MSG/Knicks, and One Medical — often involving cloud CRM platforms rather than on-prem encryption events.

What Restaurants and Partners Should Do
- Treat unsolicited Sysco account emails as suspicious until Sysco publishes official guidance.
- Rotate credentials for any Sysco portal or EDI integration if your organization receives a direct notice.
- Watch for BEC-style invoices referencing Sysco pricing or account numbers.
- Monitor ransomware leak trackers and Have I Been Pwned for confirmed exposure.

Independent Cybersecurity Audit
We audited sysco.com on June 22, 2026:
| Organization (Domain) | Overall | Risk Level |
|---|---|---|
| Sysco (sysco.com) | 70% | Good |
A 70% public-domain score does not speak to Salesforce tenant configuration, API keys, or insider threats — the likely attack paths in ShinyHunters CRM campaigns.
Audit link: sysco.com audit
Related trackers
- Hospitality & retail tracker
- Texas OAG YTD dashboard
- Ransomware threat landscape
- Kodak / ShinyHunters
- MSG / Knicks leak
- Monitoring guide
- All trackers
Benchmark your email security posture.
Run a free audit at audit.emailmenow.com or contact EmailMeNow IT Consulting for Salesforce access reviews and vendor incident planning.
Sources: Daily Security Review — ShinyHunters Sysco claim · EmailMeNow audit — sysco.com