CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Texas Sues PowerSchool Over Breach Exposing 62M Students

First reported
Last updated
πŸ“° 1 unique sources, 1 articles

Summary

Hide β–²

Texas Attorney General Ken Paxton has filed a lawsuit against PowerSchool, a cloud-based education software provider, after a December 2024 data breach exposed the personal information of 62 million students and 9.5 million teachers worldwide, including 880,000 Texans. The breach involved stolen credentials and a ransom demand of $2.85 million in Bitcoin. The lawsuit alleges violations of the Texas Deceptive Trade Practices Act and the Identity Theft Enforcement and Protection Act. The breach occurred when an attacker exploited a subcontractor's stolen credentials to access PowerSchool's PowerSource customer support portal. The stolen data included names, addresses, phone numbers, passwords, parent information, contact details, Social Security numbers, and medical data. The attacker initially demanded a ransom but later attempted to extort individual school districts, claiming to be part of the ShinyHunters group. The lawsuit aims to hold PowerSchool accountable for failing to protect sensitive information and misleading customers about its security practices.

Timeline

  1. 04.09.2025 21:01 πŸ“° 1 articles Β· ⏱ 12d ago

    Texas Sues PowerSchool Over December 2024 Breach Exposing 62M Students

    Texas Attorney General Ken Paxton filed a lawsuit against PowerSchool on September 4, 2025, alleging violations of the Texas Deceptive Trade Practices Act and the Identity Theft Enforcement and Protection Act. The lawsuit follows a December 2024 data breach that exposed the personal information of 62 million students and 9.5 million teachers, including 880,000 Texans. The breach involved multiple incidents, with the attacker using stolen credentials to access sensitive data. The lawsuit aims to hold PowerSchool accountable for failing to protect sensitive information and misleading customers about its security practices.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Salesloft Disables Drift Following OAuth Token Theft

Salesloft has taken Drift offline due to a security incident involving the theft of OAuth tokens and unauthorized access to Salesforce data. The breach began with the compromise of Salesloft's GitHub account, affecting multiple major tech companies, including Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, Tenable, Zscaler, Tenable, Qualys, Rubrik, Spycloud, BeyondTrust, CyberArk, Elastic, Dynatrace, Cato Networks, and BugCrowd. The incident was attributed to a threat cluster tracked as UNC6395 and GRUB1. The breach occurred on September 5, 2025, affecting the marketing software-as-a-service product Drift. The attackers exploited vulnerabilities to steal authentication tokens, leading to unauthorized access to sensitive data. Salesloft has temporarily disabled Drift to conduct a comprehensive review and enhance security measures. The ShinyHunters extortion gang and threat actors claiming to be Scattered Spider were involved in the Salesloft Drift attacks, in addition to the previous Salesforce data theft attacks. The threat actors primarily focused on stealing support cases from Salesforce instances, which were then used to harvest credentials, authentication tokens, and other secrets shared in the support tickets. The threat actors' primary objective was to steal credentials, specifically focusing on sensitive information like AWS access keys, passwords, and Snowflake-related access tokens. The number of impacted companies has been updated to 29. Cloudflare disclosed that some customer support cases stored in Salesforce included configuration settings and 104 Cloudflare API tokens. Salesforce restored integration with the Salesloft platform, except for the Drift app, which remains disabled until further notice. The breach also affected Qantas, where executives had their short-term compensation reduced by 15% due to a data breach that impacted approximately 5.7 million passengers.

Open in new tab

ShadowCaptcha Campaign Exploits WordPress Sites to Deliver Malware

A large-scale campaign, codenamed ShadowCaptcha, has been exploiting over 100 compromised WordPress sites to spread ransomware, information stealers, and cryptocurrency miners. The campaign uses fake CAPTCHA verification pages to trick users into executing malicious payloads. The attacks began in August 2025 and target various sectors, including technology, hospitality, legal/finance, healthcare, and real estate. The primary objectives are data theft, illicit cryptocurrency mining, and ransomware deployment. The campaign employs social engineering, living-off-the-land binaries (LOLBins), and multi-stage payload delivery to maintain persistence on targeted systems. The attacks start with malicious JavaScript code injected into compromised WordPress sites, redirecting users to fake CAPTCHA pages. From there, the attack chain forks into two paths: one using the Windows Run dialog and the other guiding victims to save and run an HTML Application (HTA) file. The compromised sites are primarily located in Australia, Brazil, Italy, Canada, Colombia, and Israel. The attackers likely gained access through known exploits in WordPress plugins and compromised credentials. The "Scattered Lapsus$ Hunters" group, linked to Shiny Hunters, Scattered Spider, and Lapsus$, has been identified as behind widespread data theft attacks targeting Salesforce data and other high-profile companies. The group has claimed access to Google's Law Enforcement Request System (LERS) and the FBI's eCheck background check system, raising concerns about potential impersonation of law enforcement and unauthorized access to sensitive user data. Mitigation strategies include user training, network segmentation, and securing WordPress sites with multi-factor authentication (MFA).

Open in new tab

Threat Actors Exploit VPS Infrastructure for SaaS Account Compromises

Threat actors, including the China-linked APT41 group, are exploiting commercial virtual private server (VPS) infrastructure to quickly and stealthily set up attack infrastructure. This tactic has been observed in coordinated SaaS account compromises across multiple customer environments and in targeted cyber espionage campaigns against U.S. trade officials. The abuse of VPS services allows attackers to bypass geolocation-based defenses, evade IP reputation checks, and blend into legitimate behavior. The attacks involved brute-force attempts, anomalous logins, phishing campaign-related inbox rule creation, and impersonation tactics. In notable incidents, attackers successfully compromised accounts by exploiting VPS services from providers such as Hyonix, Host Universal, Mevspace, and Hivelocity. The attackers deleted phishing emails and created obfuscated email rules to conceal their activities. The use of VPS infrastructure enables attackers to rapidly deploy infrastructure, making it difficult for defenders to track and respond to threats. The impersonation of U.S. Rep. John Moolenaar was part of a larger espionage campaign targeting U.S. trade officials. The campaign involved spear-phishing attacks impersonating a U.S. Congressman to gain unauthorized access to systems and sensitive information. The attacks exploited developer tools to create hidden pathways and siphon data to attacker-controlled servers.

Open in new tab

AI-Generated Fake Employees Exploit Remote Work to Gain Access to Corporate Networks

AI-generated fake employees are increasingly infiltrating corporate networks, exploiting remote work and gig economy trends. These fake employees, often backed by state-sponsored actors, gain privileged access to steal intellectual property and virtual currency. The issue is exacerbated by the ease of falsifying documents and conducting virtual interviews using AI. North Korean actors have been particularly active, using fake identities to secure jobs in various sectors, including blockchain research and development. The Justice Department has shut down several laptop farms facilitating these activities, but the problem persists. The U.S. Treasury Department has also sanctioned individuals and entities involved in these schemes, revealing significant financial transfers and profits. Organizations need to implement multi-layered security measures, including access governance, behavioral analytics, and AI-driven monitoring, to mitigate this risk. The scheme has expanded to Europe and deepened its networks in the Asia Pacific, with operatives claiming residency in Japan, Malaysia, Singapore, and Vietnam. The Japanese government has warned companies to verify identities and requested freelance-platform providers to reinforce anti-fraud efforts. The U.S. Treasury Department has sanctioned additional entities for their roles in the IT worker scheme, accusing them of generating revenue for the Democratic People's Republic of Korea (DPRK). The threat of remote hiring fraud is escalating rapidly, with a 220% increase in cases year-over-year. North Korean operatives have used AI-generated profiles, deepfakes, and real-time AI manipulation to pass interviews and vetting protocols. American accomplices have operated laptop farms to provide physical US setups, company-issued machines, and domestic addresses and identities. The scheme targets Fortune 500 companies, indicating a systematic and organized campaign. To mitigate this risk, organizations should consider implementing zero standing privileges (ZSP) to ensure minimum access required to function and revoke access when the task is complete.

Open in new tab