Back to Blog
high severity April 30, 2026 · scope unconfirmed

Follett Software LLC Listed by shinyhunters Ransomware Group

Over 4M Salesforce records containing PII and other internal corporate data have been compromised. This is a final warning to reach out by 4 May 2026 before we leak along with several annoying (digital) problems that'll come your way. Make the right decision, don't be the next headline. | Updated: 1 May 2026 | Warning: FINAL WARNING

⚠ Were you affected?
Free email scanner — we check your address against 15.4B+ leaked records in 15 seconds.
Run free scan →
Severity High
Disclosed April 30, 2026
Affected Unconfirmed
Data exposed Internal files exfiltrated in ransomware attack

On April 30, 2026, the ransomware group ShinyHunters listed Follett Software LLC on its leak site and claimed to have exfiltrated more than 4 million Salesforce records containing personally identifiable information and other internal corporate data. The group gave the company until 4 May 2026 to respond before publishing the material and warned of additional “annoying digital problems.”

Confirmed Details from Reporting

Public reporting on the ransomware.live portal describes the incident as a ransomware attack in which internal files were taken from Follett Software LLC. The listing includes a final-warning notice dated April 30, 2026, updated the following day, stating that the stolen data encompasses over 4M Salesforce records with PII. No exact number of individuals affected has been confirmed, but the volume of records suggests the breach could touch customers, employees, or partners whose information was stored in those systems. The group’s post explicitly threatens to leak the material unless contact is made before the stated deadline.

Why This Matters for You and Your Family

When a company that handles education, library, or administrative data suffers a breach, the exposed information often includes names, addresses, dates of birth, contact details, and sometimes student or family records. If your school district, local library, or child’s extracurricular program uses Follett products, your family’s details may be among the compromised records. Once this type of data reaches criminal marketplaces, it can be used for identity theft, phishing campaigns, or sold to other attackers who target ordinary households. The short 4 May 2026 deadline means the window for the company to contain the leak is closing quickly, leaving individuals with little official notice.

The Doxxing and Identity-Chain Risk

Credential leaks and PII from one service rarely stay isolated. Attackers frequently combine exposed emails, phone numbers, and partial personal details with information already circulating on forums and gaming platforms. This creates an identity chain that can lead to doxxing, account takeovers, and harassment. Public reporting indicates that data sets of this size are often cross-referenced within days, turning a corporate breach into personal exposure for families. Gaming accounts belonging to children are especially vulnerable because the same email or password reused from a school-related service can unlock those profiles, exposing chat logs, friend lists, and location data.

ShinyHunters’ Publicly Known Track Record

Public reporting attributes ShinyHunters with emerging in 2020 and conducting numerous high-profile data theft operations. The group has previously targeted organizations in retail, technology, and education sectors, often exfiltrating customer databases before attempting extortion. Their typical playbook involves initial access through compromised credentials or vulnerabilities, followed by exfiltration of large volumes of structured data, and then public shaming on leak sites paired with ransom demands. In many cases they release samples as proof and threaten full publication if payment or contact is not made within a short window.

What to do

  • Rotate any password you or your family ever used with Follett services or any connected school or library account, and enable 2FA through an authenticator app rather than SMS.
  • Run a DoxxScan to map every link between your emails, phone numbers, usernames, and real-world identity so you can see exactly what chains exist before criminals exploit them.
  • Enable continuous DoxxScan monitoring across 15.4B+ breach records and 100+ platforms so the next time your information surfaces you learn within hours rather than months.
  • Cover the household with DoxxScan family protection that includes children’s gaming accounts, which often become the next link in doxxing chains after a credential leak like this one.
  • Let remediation specialists handle takedown requests and broker removals for you while you focus on securing accounts and talking with your family about safe password habits.

The incident is a reminder that corporate data breaches quickly become personal when the stolen information can be stitched together across services. Taking concrete steps now limits how far attackers can travel down the identity chain. DoxxScan by GalaxyWarden delivers continuous monitoring across 15.4 billion breach records and more than 100 platforms, AI-powered identity-chain mapping, hands-on remediation by specialists, and full household coverage that explicitly protects children’s gaming accounts. Starting your DoxxScan trial gives you and your family that layered defense before the next leak appears.

Share this Post on X Reddit Email
Why this isn’t just another breach checker

A breach leaks your credentials. Then hackers chain those credentials to your address, family, phone, and employer using public broker sites. We’re the only tool built around that chain.

Free checker Tells you the breach happened. End of story. You’re still on 800+ broker sites.
$129+/yr Broker-removal services scrub the address but don’t see the breach — next leak re-exposes you.
GalaxyWarden Maps the chain. Cleans both halves. $19 one-shot. Closed loop.

⚠ Were you in this breach?

Free email scanner. We check your address against 15.4B+ leaked records in 15 seconds — then show you the $19 cleanup that removes you from the broker sites aggregating leaked data.

Check my email — free →
Close the chain attack

Both halves of the chain, cleaned once.

A breach put your credentials in 15.4B+ leaked records. Hackers chain that data to your address on 800+ broker sites. GalaxyWarden closes both halves for $19 once — no subscription required.

Clean both halves — $19 →
Free breach scan + 800+ broker letters + 30-day proof · one payment, no subscription
W Warden Plus — ongoing monitoring $9.99/mo
Warden Plus ($9.99/mo or $99/yr): weekly re-scans, breach alerts, AI Concierge, auto re-files on relisted brokers.