Sysco Faces Second Extortion as ShinyHunters Claims 61M Records

Sysco Corporation, the world's largest food distributor, is facing its second extortion demand in recent weeks. The ShinyHunters cybercrime gang claims to have stolen more than 61 million Salesforce records from the company, threatening to leak the data by June 18 if their demands aren't met.

The new threat comes just weeks after the Qilin ransomware gang listed Sysco on their leak site with a May 12 deadline. Whether these represent separate incidents or the same stolen data being shopped to multiple groups remains unclear.

What ShinyHunters Claims

According to listings tracked by ransomware.live, ShinyHunters alleges the stolen dataset includes:

• Customer PII including names, contact information, and account details
• Employee records with potentially sensitive HR data
• Internal corporate data from Salesforce CRM tables
• Business relationship information revealing Sysco's vendor and client networks

The 61 million record count, if accurate, would make this one of the larger corporate breaches of 2026. Sysco operates across 90 countries with approximately 76,000 employees, serving restaurants, healthcare facilities, educational institutions, and hospitality organizations worldwide.

ShinyHunters issued what they characterized as a "final warning" on June 15, giving Sysco until June 18 to make contact before publishing the data. The tight deadline suggests active negotiations or an attempt to pressure rapid payment.

ShinyHunters' 2026 Campaign

This Sysco claim fits a pattern. ShinyHunters has been on a tear in 2026, claiming breaches at more than 300 organizations through what appears to be systematic exploitation of Salesforce and Oracle PeopleSoft vulnerabilities.

Recent ShinyHunters victims include Madison Square Garden (26 million records), Kodak (2.2 million records), and Cisco. The gang's preferred attack vector involves compromising enterprise SaaS platforms rather than targeting individual corporate networks—a strategy that yields massive datasets with relatively focused effort.

The Oracle PeopleSoft exploitation campaign we covered last week may provide context for how ShinyHunters is gaining access to these corporate systems. Unpatched CVE-2026-35273 instances give attackers unauthenticated remote code execution, which can then be used to pivot to connected systems like Salesforce.

The Qilin Connection

The timing overlap with Qilin's earlier Sysco listing raises questions. Sample documents Qilin published included a customer invoice from February 2026 and a tax document from June 2025—suggesting access to legitimate Sysco systems.

Multiple groups targeting the same victim isn't unusual. Initial access brokers sometimes sell network access to several buyers, or data exfiltrated during a ransomware attack gets resold on criminal forums after the original group moves on. Qilin has been particularly active in 2026, claiming 15 victims in just 72 hours earlier this year. It's also possible ShinyHunters and Qilin accessed different systems entirely.

Sysco has not publicly confirmed either incident. A 2023 SEC filing revealed a previous breach affecting 126,000 individuals, demonstrating the company has been a target before.

Why This Matters

Sysco's position in the food supply chain makes any compromise significant beyond the immediate data exposure. The company distributes food products to roughly 700,000 customer locations, meaning their vendor relationships touch a substantial portion of the food service industry.

Customer data from Sysco could enable targeted attacks against restaurants, hospitals, and schools that rely on the company for supplies. Knowing which facilities order what products, in what quantities, and on what schedules provides useful intelligence for social engineering or supply chain attacks.

The double extortion model—threatening data exposure alongside encryption—has become standard for ransomware operators. ShinyHunters represents the logical extension: pure extortion without bothering with ransomware deployment. Why encrypt systems when threatening to publish stolen data achieves the same leverage?

For enterprises running Salesforce, this incident reinforces the importance of treating SaaS platforms as critical attack surfaces. Salesforce security configurations, API access controls, and integration credentials all require the same rigor applied to traditional network infrastructure.

Organizations should monitor ShinyHunters' leak site for any Sysco data publication after June 18. If released, the dataset could fuel secondary attacks against Sysco's customers and partners who may find their information exposed. Security teams at organizations that do business with Sysco should prepare for potential phishing campaigns leveraging any disclosed relationship data.

Sysco has not responded to requests for comment on either extortion demand.