Follett Software Ransomware Claim by ShinyHunters (May 2026)

Claim Summary

On 1 May 2026, the ransomware group ShinyHunters posted an unverified claim on their dark web leak site alleging a breach of Follett Software LLC, a US-based education technology company operating under the domain follettsoftware.com. The threat actor claims to have exfiltrated over 4 million Salesforce records containing personally identifiable information (PII) and other internal corporate data. The post, dated 30 April 2026, includes a “final warning” demanding the victim reach out by 4 May 2026, or the group threatens to leak the data and cause “several annoying (digital) problems.” As of this writing, Yazoul Security has not independently verified any aspect of this claim, and no data samples or proof of compromise have been publicly released by the group.

Threat Actor Profile

ShinyHunters is a threat actor group known primarily for data breach extortion and the sale of stolen databases on underground forums. The group has historically targeted a wide range of industries, including technology, e-commerce, and education. Their modus operandi typically involves exploiting misconfigured cloud services, SQL injection vulnerabilities, or compromised credentials to gain initial access. ShinyHunters has been associated with the sale of large datasets on dark web marketplaces, often claiming millions of records. However, the group’s track record includes a mix of verified breaches and exaggerated claims, making independent verification critical. No specific tools, such as YARA rules or detection signatures, are publicly available for ShinyHunters at this time. The group’s total known victim count remains undisclosed, and their tactics, techniques, and procedures (TTPs) are not well-documented in open-source intelligence.

Alleged Data Exposure

According to the leak site post, ShinyHunters claims to have accessed over 4 million Salesforce records from Follett Software. The alleged data includes PII and internal corporate data, though no specific data types (e.g., names, email addresses, financial information) have been detailed. The group has not provided any sample data or screenshots to substantiate the claim, which is a common tactic used by ransomware groups to pressure victims into paying ransoms. The data volume is listed as “Undisclosed,” and the post was updated on 1 May 2026, reinforcing the “final warning” deadline of 4 May 2026. Without independent verification, the scope and accuracy of this alleged breach remain unconfirmed.

Potential Impact

If the claim is verified, the exposure of 4 million Salesforce records could have significant consequences for Follett Software and its stakeholders. As an education technology company, Follett Software likely manages sensitive student, educator, and institutional data. Compromised PII could lead to identity theft, phishing attacks, and regulatory scrutiny under laws such as FERPA or state data breach notification statutes. The threat of “digital problems” suggests potential follow-on attacks, such as credential stuffing or targeted phishing campaigns against affected individuals. For Follett Software, this could result in reputational damage, loss of customer trust, and financial liabilities from remediation and legal costs. The education sector is particularly sensitive to data breaches, as they often involve minors and protected educational records.

What to Watch For

Yazoul Security recommends monitoring for the following developments:

• Leak of data samples: If ShinyHunters releases sample data after the 4 May 2026 deadline, this would increase the credibility of the claim. Any published records should be analyzed to confirm the source.
• Official statement from Follett Software: The company may issue a press release or regulatory filing acknowledging or denying the breach. Absence of a response could indicate ongoing negotiations or internal investigation.
• Dark web chatter: Monitor underground forums for sales or discussions of Follett Software data, which could confirm the breach’s legitimacy.
• Phishing campaigns: Affected individuals should be vigilant for targeted phishing emails referencing Follett Software or Salesforce credentials.

Disclaimer

This report is based solely on unverified claims made by the ransomware group ShinyHunters on their dark web leak site. Yazoul Security has not independently confirmed the breach, the data volume, or the authenticity of the alleged records. Ransomware groups routinely exaggerate or fabricate claims to pressure victims into paying ransoms. No PII, download links, data samples, credentials, or access methods are provided in this report. Readers should treat this information as preliminary and await official confirmation from Follett Software or independent security researchers. For more intelligence, visit Yazoul Security’s intel section at /intel/.