ShinyHunters Follett Software Breach: Salesforce Data Risk and How Identity-Based SaaS Attacks Enable Data Theft

The ShinyHunters Follett Software breach claim has put another Salesforce-linked extortion deadline in the spotlight.

On April 30, 2026, ShinyHunters reportedly listed Follett Software LLC,a leader in U.S. education software, as an alleged victim, claiming access to more than 4 million Salesforce records containing personally identifiable information (PII) and internal corporate data. The group issued a May 4 deadline, threatening a public leak and additional disruption if demands were not met. These claims remain unverified, with no public confirmation from Follett, Salesforce, or law enforcement.

Still, the alleged Follett incident reflects a broader pattern of ShinyHunters-linked SaaS extortion. Threat intelligence and FBI advisories have warned that attackers are targeting environments through social engineering, compromised credentials, malicious connected apps, and API-driven data theft, rather than exploiting traditional software vulnerabilities.

For IT leaders, the message is clear: attackers are increasingly targeting identities, tokens, integrations, and SaaS workflows—where enterprise data actually resides.

Inside the Identity Attack Chain: How SaaS Access Is Turned Into Data Theft

What makes incidents like the Follett claim particularly concerning is not just the scale, but the method. Recent threat intelligence shows that attackers targeting Salesforce environments are not exploiting platform vulnerabilities, they are exploiting access itself.

1. In many cases, the attack begins with social engineering or credential compromise, such as voice phishing campaigns that trick employees into sharing login credentials or approving malicious connected apps. Once access is granted, attackers can operate as legitimate users inside the SaaS environment.
2. From there, the focus shifts to session persistence and token-based access. OAuth tokens and connected apps allow attackers to interact with APIs without repeatedly triggering authentication checks. This enables large-scale, automated data extraction using native tools and queries, often blending into normal system activity.

The result is what can be described as “industrialized” data theft, where high-volume exfiltration is executed through trusted workflows, rather than noisy malware or lateral movement.

Identity Is Now Part of the Perimeter

These attack patterns show that identities, connected apps, and trusted integrations now define enterprise security just as much as devices and network boundaries. This means a secure endpoint alone is not enough if attackers can still gain access through compromised credentials, over-permissioned apps, or unvetted third-party tools. As recent investigations have shown, trusted SaaS access paths can be abused without triggering traditional alerts. Securing the modern enterprise now requires visibility and control across devices, identities, tokens, and integrations.

The Hexnode Solution

If the modern attack path is built on compromised identities and trusted access, then the defense must focus on verifying every access attempt. Hexnode approaches this by combining endpoint visibility, identity-aware access control, and centralized policy enforcement into a unified security model.

Hexnode IdP: Controlling Access with Device-Aware Identity

A key weakness in SaaS attacks is that access is often granted based on credentials alone.

Hexnode IdP strengthens this by enforcing device-aware authentication, where access decisions consider both the user’s identity and the device’s real-time compliance status. This enables organizations to:

• enforce conditional access policies
• allow access only from trusted, compliant devices
• apply MFA and role-based access controls
• continuously validate access rather than treating login as a one-time event

In practical terms, even if credentials are compromised, access can be restricted if the device does not meet security requirements or falls out of compliance.

Hexnode UEM: Reducing Endpoint-Driven SaaS Risk

Since many SaaS attacks originate from compromised endpoints or unsafe browser activity, controlling devices becomes critical. Hexnode UEM provides centralized control over:

• application installation and usage
• device compliance and configuration
• security policies across endpoints

This allows IT teams to:

• restrict unapproved applications
• enforce consistent configurations
• ensure only managed devices access corporate resources

By reducing unmanaged or risky endpoints, organizations can limit the exposure of SaaS sessions and credentials.

Hexnode XDR: Strengthening Detection at the Endpoint Layer

Identity-based attacks often avoid traditional malware signals, making detection more challenging. Hexnode XDR enhances visibility by:

• consolidating endpoint security events
• enabling detection of suspicious activity
• allowing faster response from a unified console

While SaaS-level monitoring may require additional tools, endpoint-level telemetry still plays a critical role in identifying abnormal behavior associated with compromised accounts or devices.

Featured Resource

IAM using Hexnode – The complete guide to manage access

Download the White paper to enhance your organization's access management methods and ensure device and data security.

Get the White paper

Mitigation: The Post-Breach Audit

After a SaaS breach or exposure, recovery is not just about restoring systems. It’s about ensuring attackers no longer have leverage.

• Validate backups and enforce immutability: Verify that backups are intact, isolated, and stored using immutable or offline mechanisms. Modern ransomware campaigns often target backup systems directly, making tamper-proof storage essential for reliable recovery and preventing extortion pressure.
• Monitor for credential exposure: Implement near real-time monitoring for leaked credentials and access tokens on dark web and breach forums. Rapid detection enables organizations to revoke compromised access and reduce the risk of follow-on attacks.