Scholastic has fallen victim to a cyberattack resulting in the theft of data belonging to approximately 8 million users. A hacker operating under the alias “Parasocial” claimed to have accessed the information via a compromised employee account.
Scholastic, a renowned provider of educational resources spanning preschool to grade 12, is also the publisher of iconic titles such as Harry Potter, The Hunger Games, and The Goosebumps series.
The breach exposed names, email addresses, phone numbers, and home addresses of users in the United States, affecting parents, teachers, and administrators alike. Among the compromised records, 1,048,576 entries were tied to educational contacts, while the total number of unique email addresses reached 4,247,768. Analysts confirmed the breach by cross-referencing the stolen data with social media profiles.
The hacker revealed that malicious software had been employed to gain access to Scholastic’s employee portal. However, Parasocial noted that further data exfiltration was impeded by export limitations on the company’s server. To substantiate the claim, the hacker shared a screenshot with the media, showcasing access to employee data, sales quotas, and inventory management.
Parasocial emphasized that the breach was carried out out of boredom and assured that the stolen data would not be publicly disclosed. Nevertheless, the hacker criticized the company’s security measures, urging Scholastic to adopt multi-factor authentication (MFA).
An intriguing detail emerged when Parasocial mentioned their association with the furry community, specifically “the puppygirl hacker polycule,” a group of individuals passionate about anthropomorphic animal characters. Although some speculated a connection with SiegedSec—a hacktivist group known for their activities—Parasocial denied any affiliation. Notably, in July, SiegedSec targeted the database of the ultra-conservative think tank, The Heritage Foundation, leaking 2 GB of confidential data before unexpectedly announcing their dissolution.
Scholastic has launched an investigation into the incident, reaffirming its commitment to prioritizing the security of user data.