A “furry” hacker breached the education and publishing company Scholastic this month and stole data on 8 million people, the Daily Dot has learned.
Scholastic is a leading global provider of educational materials for pre-K to grade 12, offering both print and digital resources to support student learning. In addition to its educational offerings, Scholastic publishes popular children’s book series, including Harry Potter, The Hunger Games, Clifford the Big Red Dog, and Goosebumps.
The hacker, who goes by the moniker “Parasocial,” presented the data to the Daily Dot after purportedly exfiltrating it from an employee portal.
The data includes a mix of names, email addresses, phone numbers, and home addresses for both U.S.-based customers and “education contacts,” though not every entry contains all of these details.
The education contacts make up approximately 1,048,576 of the roughly 8,000,000 entries.
Users who register on Scholastic’s website can sign up as a parent, teacher, or administrator. Users who sign up as parents are prompted to enter the full names of their children. Teachers who register are required to enter the school they work out.
When excluding duplicates, 4,247,768 unique email addresses appear in the leak.
The Daily Dot was able to locate several social media accounts of users that shared the same name and state of residence as those in the data. In all instances, the individuals’ online profiles on platforms such as LinkedIn indicated that they work in education.
Parasocial, who said they gained access after stealing login credentials from an employee hit with malware, told the Daily Dot that they would have taken more data but were stopped due to an export limit on Scholastic’s server.
A screenshot provided to the Daily Dot of the employee portal accessed by Parasocial shows dozens of sections for everything from employee information and sales quotas to inventory management and invoices.
The hacker claims they pilfered the data while bored and have no intention of making it public. In remarks to the Daily Dot, Parasocial criticized Scholastic for their security practices.
“To Scholastic; lol get pwned. This is a lesson to be learned the hard way. Don’t let your customers take the hit for your security failures, use MFA,” they said, referring to multi-factor authentication.
Parasocial also made an apparent reference to furries when requesting a shout-out to “the puppygirl hacker polycule.” The furry community comprises individuals interested in anthropomorphic animal characters and has a notable presence in the tech community.
Groups such as SiegedSec, a now defunct hacktivist crew that carried out high-profile breaches of numerous government entities and right-wing organizations, were well known for flying the furry banner, although Parasocial denied any affiliation with the group.
In a statement to the Daily Dot, a representative for Scholastic said the company was investigating the claim.
“Scholastic takes the security of our customers’ data seriously with extensive systems and protocols, and are investigating this claim thoroughly,” they said.
Internet culture is chaotic—but we’ll break it down for you in one daily email. Sign up for the Daily Dot’s web_crawlr newsletter here. You’ll get the best (and worst) of the internet straight into your inbox.
