Follett Software LLC, a leading provider of library management, classroom analytics, and student information software to US K-12 schools, has been named as a victim on the ShinyHunters ransomware leak site. The post, dated 30 April 2026 with an updated statement on 1 May 2026, claims the exposure of more than 4 million Salesforce records containing personally identifiable information and internal corporate data, and sets a final-response deadline of 4 May 2026. The listing should be treated as unconfirmed pending independent corroboration, as ShinyHunters listings have previously included unverified or fabricated victim claims.

What Happened

The ShinyHunters threat group added Follett Software LLC to its dark web leak portal on 30 April 2026, framing the post in the customary double-extortion style: a public naming, an asserted data trove, and an ultimatum. The group updated the listing on 1 May 2026 with an apparent escalation, urging the victim to respond by 4 May 2026 or face additional consequences. No ransom figure is published on the leak page, and the entry contains no screenshots, file trees, or downloadable samples, leaving the claim narrative-only at this stage. RedPacket Security, which surfaced the listing through automated scraping of the actor's onion site, has flagged that ShinyHunters posts have been previously associated with unverified or fabricated claims, citing reporting from BankInfoSecurity. Follett Software has not, as of publication, issued a public statement confirming or denying the incident.

What Was Taken

According to the leak post, the threat actor is asserting access to over 4 million Salesforce records belonging to Follett Software, characterized as containing personally identifiable information and internal corporate data. The actor has not enumerated specific field types, customer segments, or date ranges. Given Follett Software's customer base, a Salesforce CRM dataset of this scale would plausibly include school district contact records, procurement contacts, support tickets, sales pipeline notes, and contract metadata tied to thousands of US K-12 institutions. Whether the data includes student records is unclear from the listing; Salesforce is typically a sales and customer-success system rather than a student information system of record, but cross-system contamination is common. Without a sample, the volume claim itself remains unsubstantiated.

Why It Matters

Follett Software is one of the most deeply embedded vendors in the US K-12 ecosystem, with products such as Destiny Library Manager and Aspen SIS used by tens of thousands of schools. A confirmed compromise of its CRM data would not only expose the company's own commercial relationships but would also produce a high-fidelity targeting list for downstream phishing, business email compromise, and impersonation campaigns aimed at school district administrators, IT staff, and procurement officers. The K-12 sector continues to be one of the most heavily targeted verticals for ransomware and extortion in 2026, and education-vendor breaches have repeatedly served as upstream pivots into customer environments. Even if the ShinyHunters claim proves exaggerated or recycled, the listing places Follett's customer base on notice that vendor-derived social engineering may follow.

The Attack Technique

The leak post does not describe an intrusion vector, and Follett Software has not disclosed one. The reference to Salesforce records, however, fits a pattern ShinyHunters has been associated with throughout 2024 and 2025: theft of cloud CRM data via stolen OAuth tokens, voice-phishing of customer-support staff into approving malicious connected apps, and credential abuse against single-sign-on providers rather than on-premise encryption events. The post's framing as a data-leak ultimatum, with no mention of file encryption or operational disruption, is consistent with a pure-exfiltration extortion play rather than a traditional ransomware encryption attack. Defenders should treat the working hypothesis as cloud identity compromise leading to bulk Salesforce export, until and unless evidence emerges to the contrary.

What Organizations Should Do

• Education customers of Follett Software should review recent communications purporting to come from Follett representatives and validate any unusual support, billing, or access requests through known-good channels.
• Audit Salesforce environments for unauthorized connected apps, anomalous data export volumes, and OAuth grants issued to unfamiliar client IDs over the past 90 days, and revoke any that are not explicitly trusted.
• Enforce phishing-resistant MFA, such as FIDO2 hardware keys, on all administrative and integration accounts in CRM, IdP, and email tenants, and disable legacy authentication paths.
• Monitor for credential-harvesting and impersonation campaigns referencing Follett, Destiny, or Aspen branding aimed at school district staff, and pre-position user awareness messaging.
• Verify that data loss prevention rules cap or alert on bulk record exports from Salesforce, particularly to unsanctioned IPs or new API integrations.
• Track the ShinyHunters leak entry for evidence escalation: the appearance of samples, file listings, or a ransom figure would shift the listing from an unverified claim toward corroborated incident status.

Sources: [SHINYHUNTERS] - Ransomware Victim: Follett Software LLC - RedPacket Security