Back to news
Cybersecurity Alert
June 22, 2026 by EmailMeNow IT Consulting

ShinyHunters Claims 61M Sysco Salesforce Records Weeks After Qilin Ransomware Threat

Houston-based Sysco faces a second extortion claim as ShinyHunters alleges 61 million Salesforce records stolen, with a June 18 deadline. Sysco has not confirmed. Independent audit scores sysco.com at 70%.

Source: Cybernews / Daily Security Review

Data BreachShinyHuntersSalesforceTexasCybersecurityExtortion
ShinyHunters claims Sysco Salesforce data breach

ShinyHunters claims to have stolen more than 61 million Salesforce records from Sysco Corporation — the Houston, Texas–based food distribution giant — and threatened to publish the data after a June 18, 2026 deadline, according to threat-intelligence monitoring and reporting by Cybernews, Daily Security Review, and other outlets.

Sysco has not publicly confirmed the allegation at the time of publication.

Read coverage:
https://dailysecurityreview.com/threat-actors/shinyhunters-claims-61m-sysco-salesforce-records-in-unverified-breach/

What ShinyHunters Claims

The group listed Sysco on its leak site on June 15, 2026, alleging:

  • 61+ million records across multiple Salesforce tables
  • Customer account data, restaurant operator contacts, and proprietary pricing schedules
  • Employee PII and internal corporate records
  • A “final warning” to contact the group before public release

Sample files circulated in threat-intelligence channels reportedly contained Sysco customer identifiers and revenue figures — but independent verification of the full dataset has not been completed.

Illustration: dark web leak site countdown threatening public data release after extortion deadline

Second Extortion in Weeks

This is Sysco’s second major cyber extortion headline in 2026. The Qilin ransomware group previously listed Sysco with a May 12 deadline, publishing sample documents including customer invoices and tax forms — suggesting prior access to legitimate corporate files.

It remains unclear whether ShinyHunters and Qilin accessed the same environment, resold the same data, or represent separate intrusions. Initial-access brokers sometimes sell network footholds to multiple groups.

Why This Matters for Texas Hospitality

Sysco serves restaurants, healthcare facilities, schools, and hotels across 90+ countries with roughly 76,000 employees. A confirmed Salesforce exfiltration would expose data belonging to Sysco’s customers — not only Sysco itself — including purchasing history and pricing agreements Texas operators rely on for margins.

ShinyHunters has targeted multiple organizations in our April and June 2026 coverage, including Kodak, MSG/Knicks, and One Medical — often involving cloud CRM platforms rather than on-prem encryption events.

Illustration: attacker viewing stolen customer records in a cloud CRM dashboard via compromised API tokens

What Restaurants and Partners Should Do

  • Treat unsolicited Sysco account emails as suspicious until Sysco publishes official guidance.
  • Rotate credentials for any Sysco portal or EDI integration if your organization receives a direct notice.
  • Watch for BEC-style invoices referencing Sysco pricing or account numbers.
  • Monitor ransomware leak trackers and Have I Been Pwned for confirmed exposure.

Illustration: executive receiving encrypted extortion demand with ransom deadline and threat of public data leak

Independent Cybersecurity Audit

We audited sysco.com on June 22, 2026:

Organization (Domain)OverallRisk Level
Sysco (sysco.com)70%Good

A 70% public-domain score does not speak to Salesforce tenant configuration, API keys, or insider threats — the likely attack paths in ShinyHunters CRM campaigns.

Audit link: sysco.com audit


Benchmark your email security posture.

Run a free audit at audit.emailmenow.com or contact EmailMeNow IT Consulting for Salesforce access reviews and vendor incident planning.


Sources: Daily Security Review — ShinyHunters Sysco claim · EmailMeNow audit — sysco.com