CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Massive data breach at PowerSchool exposes 62 million students' personal information

First reported
Last updated
1 unique sources, 3 articles

Summary

Hide ▲

In December 2024, a data breach at PowerSchool, a cloud-based software provider for K-12 schools, exposed the personal information of 62 million students and 9.5 million teachers across the U.S., Canada, and other countries. The breach included full names, addresses, phone numbers, passwords, parent information, contact details, Social Security numbers, and medical data. The attacker initially demanded a $2.85 million ransom in Bitcoin. The breach affected 6,505 school districts, including over 880,000 Texans. The Texas Attorney General has filed a lawsuit against PowerSchool for failing to protect sensitive information. In May 2025, an affiliate of the ShinyHunters group attempted to extort school districts individually. In June 2025, Matthew D. Lane pleaded guilty to orchestrating the attack and attempting to extort millions of dollars. In October 2025, Lane was sentenced to four years in prison and ordered to pay $14 million in restitution and a $25,000 fine. The breach was part of a series of attacks on PowerSchool's PowerSource portal, with previous breaches occurring in August and September 2024. In March 2026, Infinite Campus, another K-12 student information system provider, warned of a breach after ShinyHunters claimed to have stolen data from an employee’s Salesforce account. The exposed data was mostly public, but the incident involved extortion attempts and prompted Infinite Campus to disable certain services and scan for compromised data. ShinyHunters has targeted hundreds of Salesforce accounts in recent campaigns, including claims of stealing over 1.5 billion records.

Timeline

  1. 24.03.2026 15:48 1 articles · 23h ago

    ShinyHunters targets Infinite Campus in Salesforce data extortion attempt

    In March 2026, Infinite Campus warned customers of a data breach after ShinyHunters claimed responsibility for an extortion attempt. Hackers accessed an employee’s Salesforce account, exposing mostly publicly available information, including names and contact details for school staff. The threat actor demanded a ransom by March 25, 2026, but Infinite Campus refused to engage. The incident involved disabling certain customer-facing services and scanning Salesforce data for potential compromise. ShinyHunters claimed to have stolen Salesforce records containing PII and internal corporate data.

    Show sources
    Open in new tab
  2. 15.10.2025 22:41 1 articles · 5mo ago

    Matthew D. Lane sentenced for PowerSchool data breach

    Matthew D. Lane, the orchestrator of the PowerSchool data breach, was sentenced to four years in prison and ordered to pay $14 million in restitution and a $25,000 fine. Lane pleaded guilty to multiple federal charges, including unauthorized access to protected computers, cyber extortion conspiracy, cyber extortion, and aggravated identity theft.

    Show sources
    Open in new tab
  3. 04.09.2025 21:01 2 articles · 6mo ago

    Texas sues PowerSchool after breach exposing 62 million students' data

    In December 2024, a data breach at PowerSchool exposed the personal information of 62 million students and 9.5 million teachers. The attacker demanded a $2.85 million ransom. The breach affected 6,505 school districts, including over 880,000 Texans. The Texas Attorney General has filed a lawsuit against PowerSchool for failing to protect sensitive information. In May 2025, an affiliate of the ShinyHunters group attempted to extort school districts individually. In June 2025, Matthew D. Lane pleaded guilty to orchestrating the attack. In October 2025, Lane was sentenced to four years in prison and ordered to pay $14 million in restitution and a $25,000 fine. Previous breaches occurred in August and September 2024, using the same compromised credentials.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

ManoMano Data Breach Affects 38 Million Customers via Third-Party Service Provider

ManoMano, a European DIY e-commerce platform, disclosed a data breach impacting 38 million customers. The breach occurred in January 2026 due to unauthorized access to a third-party customer service provider. Exposed data includes full names, email addresses, phone numbers, and customer service communications. The stolen data includes information associated with 37.8 million ManoMano user accounts, over 900,000 service tickets, and over 13,000 attachments, pertaining to users across France, Germany, Italy, Spain, and the United Kingdom. No account passwords were compromised. The company has taken steps to secure its environment and notified relevant authorities and affected customers. The breach was claimed by an individual using the alias 'Indra' on a hacker forum, alleging the theft of 37.8 million user accounts and thousands of support tickets. The compromised service provider is reportedly a Tunis-based customer support firm that suffered a Zendesk breach.

Open in new tab

Optimizely Data Breach After Vishing Attack

An ongoing wave of vishing-led breaches attributed to ShinyHunters has claimed a new victim: Aura, a digital safety firm. The attack exposed contact details of nearly 900,000 individuals, stemming from a marketing tool inherited in a 2021 acquisition. ShinyHunters claimed the theft of 12GB of files containing PII and corporate data, releasing it after failed extortion attempts. The company emphasized no SSNs, passwords, or financial data were compromised and is conducting an internal review with law enforcement involvement. Earlier in February, Optimizely disclosed a similar breach following a voice phishing attack that compromised basic business contact information. Both incidents underscore the continued exploitation of vishing tactics by ShinyHunters to gain initial access to organizations, with impacts focused on contact data rather than deeper system compromise.

Open in new tab

Grubhub Data Breach and Extortion Attempt by ShinyHunters

Grubhub confirmed a recent data breach where unauthorized individuals accessed and downloaded data from its systems. The company stated that sensitive information such as financial data or order history was not affected. However, sources indicate that the ShinyHunters cybercrime group is extorting Grubhub, demanding Bitcoin to prevent the release of stolen Salesforce and Zendesk data. The breach is believed to be connected to stolen credentials from the recent Salesloft Drift data theft attacks.

Open in new tab

SonicWall MySonicWall Breach Exposes Firewall Configuration Files

Marquis Software Solutions has **confirmed** that its **August 2025 ransomware attack** exposed the **personal and financial data of 672,075 individuals**—including names, Social Security numbers, Taxpayer Identification Numbers, and financial account details—after threat actors exploited firewall configuration files stolen from SonicWall’s MySonicWall cloud backup breach. The company, which serves **700+ U.S. banks and credit unions**, completed its forensic review in **December 2025** and began notifying affected individuals in **March 2026**, while facing **over 36 consumer class-action lawsuits** and a self-initiated **lawsuit against SonicWall** for alleged **gross negligence and misrepresentation**. Marquis alleges SonicWall’s **February 2025 API code change** introduced the vulnerability, delayed disclosure by three weeks, and understated the breach’s scope (initially claiming <5% of customers were affected, later confirmed as 100%). The SonicWall incident began with a **September 2025 breach** of its MySonicWall portal, where attackers accessed **AES-256-encrypted credentials, network topology details, and MFA recovery codes** for all cloud backup users. This data fueled follow-on attacks, including the **Marquis breach** and Akira ransomware campaigns bypassing MFA via stolen OTP seeds. SonicWall collaborated with Mandiant to attribute the breach to **state-sponsored actors** and released remediation tools, but **950+ unpatched SMA1000 appliances** remain exposed online. The Marquis lawsuit—seeking damages, indemnification, and legal fees—could set a precedent for **vendor liability**, as enterprises increasingly pursue legal action against cybersecurity providers for contribution or negligence in third-party breaches. CISA and SonicWall continue to urge firmware updates, credential resets, and MFA enforcement to mitigate ongoing risks.

Open in new tab

RaccoonO365 Phishing Network Disrupted by Microsoft and Cloudflare

The RaccoonO365 phishing network, a financially motivated threat group, was disrupted by Microsoft's Digital Crimes Unit (DCU) and Cloudflare. The operation, executed through a court order in the Southern District of New York, seized 338 domains used by the group since July 2024. The network targeted over 2,300 organizations in 94 countries, including at least 20 U.S. healthcare entities, and stole over 5,000 Microsoft 365 credentials. Authorities in Nigeria have arrested three individuals linked to the RaccoonO365 phishing-as-a-service (PhaaS) scheme, including Okitipi Samuel, also known as Moses Felix, identified as the principal suspect and developer of the phishing infrastructure. The Nigeria Police Force National Cybercrime Centre (NPF–NCCC) collaborated with Microsoft and the FBI in the investigation, seizing laptops, mobile devices, and other digital equipment linked to the operation. The stolen data was used to fuel more cybercrimes, including business email compromise, financial fraud, and ransomware attacks. The Nigerian police arrested three individuals linked to targeted Microsoft 365 cyberattacks via Raccoon0365 phishing platform. The attacks led to business email compromise, data breaches, and financial losses affecting organizations worldwide. The law enforcement operation was possible thanks to intelligence from Microsoft, shared with the Nigeria Police Force National Cybercrime Centre (NPF–NCCC) via the FBI. The authorities identified individuals who administered the phishing toolkit 'Raccoon0365,' which automated the creation of fake Microsoft login pages for credential theft. The service, which was responsible for at least 5,000 Microsoft 365 account compromises across 94 countries, was disrupted by Microsoft and Cloudflare last September. It is unclear if the disruption operation helped identify those behind Raccoon0365 in Nigeria. One of the arrested suspects is an individual named Okitipi Samuel, also known online as 'RaccoonO365' and 'Moses Felix,' whom the police believe is the developer of the phishing platform. Samuel operated a Telegram channel where he sold phishing kits to other cybercriminals in exchange for cryptocurrency, while he also hosted the phishing pages on Cloudflare using accounts registered with compromised credentials. The Telegram channel counted over 800 members around the time of the disruption, and the reported access fees ranged from $355/month to $999/3 months. Cloudflare estimates that the service is used primarily by Russia-based cybercriminals. Regarding the other two arrested individuals, the police stated they have no evidence linking them to the Raccoon0365 operation or creation. The person that Microsoft previously identified as the leader of the phishing service, Joshua Ogundipe, is not mentioned in the police’s announcement.

Open in new tab