SHINYHUNTERS and FulcrumSec have launched a coordinated wave of attacks against education technology firms, compromising personal data and disrupting services for thousands of schools and colleges. The assaults, first observed on 17 June 2026, have already exposed sensitive information belonging to staff and students, raising alarms across the sector. A recent report on the incident highlights the growing trend of threat actors focusing on the EdTech supply chain.
The attackers infiltrated a Salesforce environment used by several districts, extracting names, email addresses and phone numbers from more than 137 000 staff accounts. Investigators believe the breach stemmed from exposed API keys or overly permissive permission sets that allowed unauthorized querying of the objects. Once inside, the threat actors exported the data to an external server before the intrusion was detected.
In a separate incident, the Global Schools Foundation suffered a ransomware encryption event that locked down servers hosting learning management systems and student portals. The ransom note demanded payment in cryptocurrency and threatened to publish the stolen data if the demand was not met within a strict deadline. The attack forced many schools to revert to paper‑based administration while recovery teams worked to restore from backups.
ShinyHunters, known for large‑scale credential harvesting and the sale of stolen data on underground forums, has been linked to the Salesforce exfiltration. FulcrumSec, which operates a ransomware‑as‑a‑service platform, is suspected of delivering the payload that encrypted the Foundation’s networks. Both groups have been observed using phishing emails with malicious attachments and leveraging compromised third‑party vendors to gain initial access, indicating an active and evolving campaign.
The education technology sector holds vast quantities of personally identifiable information, including data on minors, which makes it a lucrative target for financially motivated actors. A successful breach can lead to identity theft, financial fraud and a serious loss of confidence among parents, educators and regulators. These recent events demonstrate that defenders must treat EdTech networks as critical infrastructure and prioritise protective measures accordingly.
Defenders should begin by auditing Salesforce configurations, removing unnecessary API tokens and enforcing the principle of least privilege on all connected applications. Multi‑factor authentication must be mandated for every administrative account, and login activity should be monitored for anomalous patterns. Network segmentation can limit lateral movement, while regular offline backups stored separately from the production environment provide a reliable recovery option.
Finally, sharing indicators of compromise with trusted information sharing and analysis centres helps the broader community detect and block similar threats in real time.