A Crew Listed Follett on Its Leak Site. The Silence Is the Story.

Let me start with what is actually true, because the whole point of this one is keeping the claim and the fact in separate boxes.

On April 30, 2026, at 22:27 UTC, the extortion group ShinyHunters added Follett Software LLC to its public leak site. The listing claims "over 4 million Salesforce records containing PII and other internal corporate data," and set a May 4 "final warning" deadline before threatened release. That listing is real; you can see it indexed on the public ransomware trackers. What the listing represents is also clear, and the trackers say so plainly: it is the threat actor's own claim. Ransomware.live, which indexes it, states outright that it records "only publicly visible information posted by ransomware operators" and does not verify it.

So here is the line I am not going to cross: I am not telling you Follett was breached. As of this writing there is no public confirmation from Follett, from Salesforce, or from law enforcement. A criminal group posted a claim and a number. Criminal groups inflate, recycle, and occasionally invent. Treat the 4 million as marketing until someone who isn't running an extortion site says otherwise.

An unconfirmed claim is not nothing. It is a reason to ask questions, not a reason to panic, and definitely not a reason to wait quietly for the vendor to tell you how to feel.

Why this particular claim is worth taking seriously

If this were a no-name group with no track record, I'd tell you to ignore it. It isn't. The same crew, in the same week, demonstrably hit a sibling in the exact same sector.

On April 29 — one day before the Follett listing — Instructure detected unauthorized activity in Canvas, the learning platform used by thousands of schools. That one is confirmed: Instructure acknowledged the intrusion, said it revoked access and brought in outside forensics, and notified law enforcement including the FBI and CISA. ShinyHunters claimed it and set a ransom deadline. Reporting put the exposure at roughly 9,000 schools, with one district describing compromised data as names, email addresses, and student ID numbers for staff, students, and parents.

That is the context the Follett listing sits inside: a documented April–May campaign by this same group against education and SaaS platforms, run not through exotic software exploits but through social engineering, stolen credentials, and abused connected apps — the Salesforce-shaped attack pattern the Follett listing fits exactly. So the honest read is the uncomfortable middle one. The Follett breach is unconfirmed. The Follett breach is also entirely plausible, by a group that just proved it can do this to your other vendor.

Why it lands on the library

Follett Software is not a footnote in K-12. Destiny and its kin run library automation, resource management, and digital content for a very large share of American school libraries. If you are a school librarian, Follett is plausibly holding catalog data, circulation data, and student-linked records for your building. "Salesforce records with PII" in that context is not an abstraction. It is the administrative layer around real kids.

And student data carries obligations that adult-patron data doesn't. FERPA, state student-privacy statutes, and most district breach-notification policies don't wait for a vendor to be comfortable before they start their clocks. Which brings us to the part that actually bothers me.

The silence is the story

Instructure got hit and told people. It disclosed, it named the agencies it called, it shut down the abused feature. You can argue about the speed or the spin, but there was a public account a customer could act on.

A month after the Follett listing, there is no comparable public statement I can find. Maybe Follett investigated and found the claim is bogus. Maybe it's a recycled or exaggerated listing. If so, say that — a clear "we investigated this claim and found no evidence of a breach of customer data" is a perfectly good sentence, and its absence is conspicuous when a peer in the same campaign managed full disclosure. The thing a vendor owes the schools that depend on it, in the window between "a crew claimed something" and "we know what happened," is not silence. Silence leaves every customer to either over-react or, more commonly, assume it's fine because nobody told them otherwise. That second one is how unconfirmed claims quietly become unmanaged risk.

What to do this week, claim or no claim

None of this requires panic, and none of it should wait for certainty. It's the same boring, effective list that's correct whether or not the 4 million is real:

• Ask Follett directly, in writing. Three questions: Is my district's data implicated in the activity ShinyHunters has claimed? Was any Salesforce environment holding our data involved? If you've investigated and found nothing, will you say so in writing? Email, dated, kept.
• Loop in whoever owns breach response. District IT, the privacy officer, legal. This is a "make them aware now" moment, not a "handle it yourself at the desk" moment. FERPA and state clocks are theirs to manage.
• Inventory what Follett actually holds for you. You can't assess exposure you haven't mapped. What student-linked fields live in their systems? You should know this anyway.
• Tighten the SaaS edges. This campaign runs on credentials and connected apps. MFA everywhere, review third-party app connections, rotate anything shared. Cheap, and correct regardless.
• Watch the leak site, not the headlines. If data actually drops, the trackers will show it before the trade press does. That's your trigger to escalate from "asking questions" to "executing the plan."

The reason to write this up while it's still unconfirmed is not to ring an alarm. It's that the gap between a criminal's claim and a vendor's confirmation is exactly the window where school libraries get left holding a decision with no information. You don't have to know whether Follett was breached to know what to ask, and who to tell, today.