The UNFI Cyber Incident: What Happened, What We Know, and What It Means for CPG Brands
last updated June 27, 2025 (first published June 17, 2025)
On June 6, 2025, one of North America’s largest grocery distributors abruptly went dark, leaving Whole Foods and other retailers scrambling without deliveries. Over the next eleven days, frontline employees and industry insiders took to Reddit to piece together what UNFI tersely called “unauthorized activity,” sharing real-time updates like never before experienced in the grocery world. For those unfamiliar, Reddit uses specialized pages, called subreddits, for specific topics; they are denoted with an “r/” prefacing the topic. Let’s start with a timeline of events as we learned them in real-time from Reddit and official company communications.
June 6, early AM
Across the country, stores awaken to missing deliveries from their primary fresh-and-natural foods distributor. Whole Foods employees report trucks simply never showed up, leaving shelves empty well before opening. A Reddit post in r/wholefoods captures the confusion:
“Came in at 5 a.m. today and was told there will be no UNFI truck due to issues on their end.”
June 6, mid-morning
Behind the scenes, distribution-center staff at one of North America’s largest grocery wholesalers scramble as their own systems go dark. A self-identified UNFI employee posts on Reddit:
“We literally cannot do anything network-related… This is catastrophic to the business.”
June 7
Without access to digital order systems, DC (distribution center) workers revert to pen and paper, while store buyers face uncertainty about replenishment. In r/FreightBrokers, a logistics coordinator notes:
“Our grocery buyer seems to think that UNFI is being held for ransom by hackers. No clue where he got that information from.”
June 8
Retail co-ops and vendors receive mixed signals about interim supply plans. A Whole Foods moderator in r/UNFI explains:
“As far as I can tell, they have only been sending to WFM so far and it’s only been top 100 items (dairy & grocery). No other retailers have received shipments that I’ve heard of.”
That same day, another Reddit user in r/wholefoods reports:
“They said they will deliver us items from our last order for the following week until this is fixed—hopefully.”
A produce buyer warns in r/produce:
“Keep in mind that whatever you order has been in storage a long time. I’d avoid highly perishable stuff if you can.”
June 9, 9:30 AM ET
After three days of silence, UNFI files an SEC Form 8-K, publicly revealing it detected “unauthorized activity” in its IT environment on June 5 and proactively took systems offline to contain it.
June 9, 3 PM ET
UNFI’s corporate website posts a press release reiterating the 8-K details and pledging collaboration with law enforcement and cybersecurity experts. Customers are urged to monitor updates as recovery efforts proceed.
June 10, 8:30 AM ET
On its quarterly earnings call, CEO Sandy Douglas walks investors through the internal response timeline: intruders detected on June 5, full network shutdown on June 6, and a goal of “full operational restoration by Sunday, June 15.”
June 11, 10 AM ET
UNFI sends a customer advisory explaining that limited shipments have resumed at select facilities using manual processes. A store buyer on Reddit reports:
“They’re running orders off printed sheets, but as of this morning we still haven’t seen any electronic confirmations.”
June 12, mid-day
Partial digital restoration allows some order entry, but buyers begin to notice quality issues. In r/wholefoods, one buyer asks:
““Anyone else getting expired/close to expired stuff?”
June 13
With electronic confirmations back at two major DCs, retailers are still frustrated. A Reddit user in r/TwinCities reports:
“I’m a buyer at a store that uses UNFI. There has been very little communication from our rep. It does not seem to be ending any time soon. We are looking at alternative vendors since our shelves will start to empty.”
Another user talks about vendor experience in r/WholeFoods:
”I’m a vendor. We’ve been told that the soonest UNFI can send orders to vendors will be Sunday, June 15.”
June 14
As backlog-clearing ramps up, stores begin to get closer to normal fill rates. Still, a user posts in r/wholefoods:
“Stores can’t order. Hannaford is being picked off sheets that are manually printed. I think they’re duplicating last Wednesday’s order rather than just sending random heavy-moving items. Inventory is a nightmare.”
June 15
The self-imposed recovery deadline arrives. UNFI issues a customer bulletin stating:
“We have returned to full operational capacity as of today. Thank you for your patience and partnership during this incident.”
A Reddit user posts in r/WholeFoods:
”Stores have the option to get duplicate orders because that’s all the robot can do… But if the store opts in, then it’s every department getting a duplicate order, and you cannot adjust it whatsoever. One thing we were told is that it could last into July.”Another commenter in the same thread:
”Anyone else getting expired/close to expired stuff? I got ten cases of Clover half gallons that expire next week. ‘Top movers’ my ass, more like s**t we didn’t want to keep in the warehouse.”
June 16
A follow-up internal memo confirms that the Warehouse Management System (WMS) and RF scanning equipment are now fully operational in every distribution center:
“All WMS modules and RF systems have been restored. Final data reconciliation efforts are underway.”
On Reddit we see from a user:
”My store just received a duplicate of a prior order with no invoice. We had to scan each case manually so our BOH isn’t as screwed. … Driver says it’s still chaotic and they’re trying to get the pick system back online by Sunday, but no guarantees.”
Grocery Dive reported:
Gilpin Matthews, co-owner of Darlings Grocery
“I put in my order on June 8 but did not receive confirmation from the distributor. We had no notice—and empty shelves don’t look good… if people go in and they can’t get the things they need, they’re going to go somewhere else.”
June 17, 8 AM ET
A Reddit user in r/Technology said:
”I was at work today and this distributor has told our company that it may take a week to get this fixed.”
Local news in San Antonio corroborates ongoing product shortages at select stores, noting that while mainline grocery items are back, many specialty SKUs remain delayed.
June 18
Whole Foods employees report ongoing stock imbalances despite deliveries resuming. “It’s affecting operations in a very, very significant way,” one Sacramento team member says, noting some shelves are still empty or refilled with the wrong quantities; sometimes “too much of one product” and not enough of another – as UNFI works through its backlog
June 19
Media outlets openly label the incident as a ransomware attack as evidence mounts of a classic extortion playbook. NBC News reported that UNFI “acknowledged the ransomware attack” in its statements to the press, and trade analysts note the 10-day timeline aligns with how long it typically takes to negotiate and recover from ransomware.
June 26
UNFI releases an official statement acknowledging that they are not yet 100% recovered, but core systems are online:
“We have safely restored the core systems our retail customers and suppliers use to do business with us, and the incident has been contained. With our electronic ordering and invoicing systems back online, we are delivering products to grocery stores across our network at more normalized levels. We are grateful to all our customers and suppliers for their patience and partnership as our UNFI associates continue working to support their needs.”
What’s Confirmed
UNFI experienced a major system failure tied to a cybersecurity breach. In its June 9 SEC filing, the company acknowledged that it had detected “unauthorized activity” on June 5 and shut down several core systems to contain the intrusion. The incident disrupted everything from order management to warehouse logistics and delayed deliveries across the country.
UNFI has said it is working with law enforcement and external cybersecurity experts. Bloomberg later confirmed that CrowdStrike was brought in to manage the forensic response. By June 12, the company told media outlets that it was gradually restoring systems.
UNFI has not confirmed whether the incident involved ransomware or any data exfiltration. There’s been no public disclosure of any ransom demand, leaked data, or a claim of responsibility by known ransomware gangs.
What we do know:
The breach was severe enough to shut down nearly every core system in UNFI’s network.
Deliveries to grocery retailers were missed for multiple days.
Warehouse workers were sent home or worked partial shifts without system access.
Retailers like Whole Foods experienced partial or full stockouts on key SKUs, especially perishables and branded natural products.
Freight brokers and truckers were left stranded or had loads redirected.
What’s Unconfirmed (But Very Likely True)
What is now confirmed as of June 27
Ransomware is the leading theory, and for good reason. Confirmed!
Reddit user u/CPG-Distributor-Guy (that’s us if you don’t follow us yet!) summarized what many insiders were already thinking:
“They confirmed it was a cyber attack, and a company like UNFI will only come under one type of cyber attack – one that pays the attackers money.”
They continued:
“Ransom attacks like this usually take a good 7–10 days to rectify… Leadership always takes 5 days to realize they’ll need to pay, and then 3–5 days to get the cash together.”
That prediction ended up pretty close to reality; UNFI’s systems began coming back online just shy of that 10-day mark.
Other Reddit users shared similar suspicions, pointing out the vagueness of UNFI’s language and the sweeping nature of the shutdown. The fact that the company went completely dark across invoicing, picking, shipping, and even internal communication systems is highly indicative of a ransomware attack or a preemptive shutdown to avoid malware spread.
One employee shared: “They told us it was the invoicing system that got hit first, and then everything else just stopped working.” Another theorized the breach could’ve stemmed from a “fake update” rolled out earlier in the week; a common tactic in ransomware campaigns.
The absence of an explicit ransom demand or a public shaming by attackers could mean one of two things: either UNFI negotiated quietly behind the scenes, or they preemptively shut things down before encryption began. Most often the payment is made quietly.
Either way, the sequence of events fits the typical ransomware playbook. And while UNFI hasn’t confirmed that, almost everyone in the industry is operating under the assumption that this was exactly that.
Impact on CPG Brands
For brands, especially those that rely on UNFI for national or regional distribution, the fallout was immediate:
1. Purchase Orders Were Delayed or Cancelled
Orders placed in early June were effectively canceled or stalled. Some regions started issuing manual POs or repeating last week’s orders once partial systems came online, but brands that rely on tight weekly cadence got burned. Double check what isn’t confirmed and reissue with new inventory information when it comes available. don’t fulfill a PO without confirming it should be and is authentic.
2. Payment Timing May Be Affected
While UNFI claims payroll and payments will continue uninterrupted, several vendors on Reddit voiced concern that invoice approvals were on hold. “Chargebacks will increase and manufacturers won’t get paid on time – not that they do anyways,” wrote a Reddit user.
3. Inventory Spoilage
Perishable items sitting in UNFI’s DCs were likely subject to spoilage, especially fresh and refrigerated items. If your brand had product in the system when things went dark, you’re now facing write-offs or rework. Managing your inventory has never been more critical than now.
4. Disrupted Retailer Relationships
Some brand managers were caught off guard by buyers canceling resets or promotional timing due to out-of-stock issues. The lack of communication during the outage made it difficult for brands to offer replacements or updates to their buyers. Pick up the phone, give them a call, work things out together as partners.
Impact on Grocery Retailers
Retailers, especially those who lean heavily on UNFI, saw serious short-term consequences.
1. Empty Shelves
Photos circulated on Reddit and Twitter showing completely bare refrigerated sections, bread aisles, and center store shelves at Whole Foods and co-ops. Whole Foods employees confirmed that UNFI deliveries were missed or significantly delayed for at least three days. Most retailers have alternate suppliers for many core SKUs, but the brand specific SKUs sometimes are only UNFI. People won’t starve but they may need to wait a few weeks to get Captain Crunch again.
2. Higher Costs from Alternate Sources
Many independent grocers had to place emergency orders with regional or local suppliers. But those orders typically carry less favorable terms, and shorter payment cycles. Retailers absorbing those costs might adjust shelf pricing or pause promotions as a result.
3. Manual Workarounds Created Labor Bottlenecks
In several stores, employees had to receive shipments manually or deal with mismatched SKUs and backdated invoices. A buyer in one thread noted: “We can’t even track what we’re getting right now… there’s no digital trail.”
4. Forecasting Fallout
Retailers relying on scan data and demand planning through UNFI’s systems were flying blind for a week. For chains with high private label or rotating local assortments, this caused unnecessary reorders or shelf gaps. It will take weeks and months to flow through to retailer and get back on track.
Final Thoughts
UNFI’s outage didn’t bring the food system to a halt—but it did expose just how brittle some of the connective tissue really is. The average consumer may not notice much beyond a missing ice cream flavor or bread brand, but for CPG founders and ops teams, it was a nightmare week.
The incident highlighted how little redundancy exists in some brand–distributor–retailer relationships. It also showed how few options you have when one of your major fulfillment nodes disappears overnight.
If there’s a silver lining, it’s that UNFI contained the damage. Operations resumed within 10 days, and no evidence of leaked data has surfaced. But the next attack might not be so easy to absorb.
Check out our complete guide on how to have success in the national distribution environment!
KeHE & UNFI: The Complete Guide