top of page

Two Ransomware Crews Hit Sysco in Two Months. Qilin in May, ShinyHunters in June. When Two Gangs Walk the Same Door Weeks Apart, the Door Was the Problem.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 12 minutes ago
  • 4 min read

Sysco is the largest food distributor in the world, and in the span of about eight weeks it got claimed by two different extortion crews. Qilin, the ransomware operation, named Sysco as a victim in early May. Then on June 15, ShinyHunters claimed it had stolen more than 61 million Salesforce records from the company — customer information, employee data, and internal corporate records — and set a June 18 payment deadline. When the deadline passed with no payment, the data started moving: Have I Been Pwned loaded 2,691,852 Sysco accounts into its database on June 28, exposing email addresses, full names, job titles, phone numbers, physical addresses, internal account IDs, and customer feedback records. That is the verifiable anchor in a story where a lot else is still a claim, so let us be clear about which is which — and then let us talk about the part that actually matters, which is not the record count.


The part that matters is the pattern: two separate gangs, two separate access paths, two months apart, against one company. That is not a coincidence and it is not bad luck. When two unrelated crews independently find a way into the same environment inside a single quarter, the honest reading is that the environment had more than one unresolved way in, and both were sitting open at the same time. A single breach is an incident. Two breaches by two actors through what look like two different doors is a posture — and the posture is what a defender should be reading, not the headline number ShinyHunters put on its leak.


Here is the technique, and here is why we have written this exact story more times than any other beat this year. ShinyHunters' Salesforce campaign does not break Salesforce. It abuses OAuth tokens and dormant API credentials — the standing, long-lived authorizations that connect a CRM to the dozen SaaS tools bolted onto it. The same method has now been used against Kodak, Ralph Lauren, and the Council of Europe, and it traces straight back to the compromise we first wrote up in September 2025: UNC6395 and the Salesloft-Drift OAuth breach, where stolen tokens for one marketing integration opened the Salesforce instances of 760 organizations. We called that one a supply-chain failure with consumer consequences before the victim list was public. We wrote it again when the Salesloft breach put twelve security vendors in the victim column, again when ShinyHunters hit Klue and someone then stole the stolen data back from them, and again when the feds shuttered ShinyHunters' leak site — where we noted that we had named the victims from the infrastructure weeks before the takedown. Sysco is not a new kind of attack. It is the same OAuth-token door, on a bigger building.


That is why the two-crews-in-two-months detail is the story and the 61 million is the distraction. A record count is a claim ShinyHunters wants you to focus on, because fear is the product they are selling and an unverified big number is their best marketing. The 2.7 million that Have I Been Pwned independently loaded is the number you can actually stand on, and even that is the consequence, not the cause. The cause is the standing authorization nobody scoped down or rotated — the OAuth grant that keeps working long after anyone remembers issuing it, the API credential for a tool the company stopped using two vendors ago. Qilin found its own way in through the ransomware side; ShinyHunters found the CRM's soft SaaS underbelly. Both worked because the connective tissue between a company's systems is exactly the tissue nobody audits.


What a defender should take from this, stated as carefully as the facts allow. Sysco has not, at last public check, confirmed the specifics of either claim, so treat the 61 million as ShinyHunters' assertion and the Qilin attribution as Qilin's — the 2.7 million in Have I Been Pwned is the piece with independent confirmation. But you do not need Sysco's confirmation to act on the lesson, because the lesson is not about Sysco. It is about your own OAuth grant inventory: every third-party token connected to your Salesforce, your Microsoft 365, your Google Workspace, is a door that does not show up in your firewall logs, does not trip your endpoint tooling, and keeps working until someone deliberately revokes it. The audit almost nobody runs is the list of every standing authorization into your crown-jewel SaaS, sorted by last-used date, with everything dormant killed. That list is where both of Sysco's doors lived.


Two crews, one victim, eight weeks. The ransomware gang and the data-theft gang are not competitors here; they are two independent confirmations that the same environment had the same class of hole in more than one place. We will keep writing this beat as long as the OAuth token stays the most reliable way into a modern enterprise — because the through-line from UNC6395 in September to Sysco in June is one unbroken sentence, and almost nobody else is reading it as a single story. Cap the confidence at what the evidence supports: the claims are claims, the HIBP data is real, and the pattern is the point.




Every indicator in this post is in the feed. Free.

1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.


bottom of page