Don't let your customers take the hit for your security failures
A hacker known as Parasocial has breached the digital infrastructure of Scholastic — the publishing house that has long served as a gateway to imagination for generations of children — exposing the personal records of roughly eight million parents, teachers, and school administrators. The intrusion, carried out through an employee portal left unguarded by basic security measures, reminds us that the institutions entrusted with the most vulnerable members of society are not exempt from the failures of the digital age. The attacker claims no malicious intent beyond curiosity, yet the data now exists beyond its rightful boundaries, and the families who placed their trust in a beloved educational brand are left to reckon with risks they never consented to carry.
- Eight million records — names, emails, phone numbers, and home addresses — were quietly lifted from a company that parents and educators trusted with their most personal details.
- The hacker needed no sophisticated exploit; the absence of multi-factor authentication left a door wide open in a system protecting data on children's families and school officials.
- Researchers confirmed the breach's authenticity by cross-referencing stolen data against public social media profiles, removing any doubt that the exposure is real and substantial.
- Parasocial claims the data will not be publicly released, but it remains in unauthorized hands — a fragile assurance that offers no legal protection and no guarantee against future sale or distribution.
- Scholastic has issued a measured statement affirming its commitment to security while providing no timeline, no notification plan, and no concrete remediation steps for those affected.
Scholastic — the publishing house behind Harry Potter, The Hunger Games, and Goosebumps — is investigating a cyberattack that exposed sensitive information on approximately eight million people. A hacker operating under the alias Parasocial claims to have accessed the company's employee portal, extracting names, email addresses, phone numbers, and postal addresses belonging to US customers and education contacts, with roughly one million of those records tied to the education sector.
The breach surfaced when Parasocial reached out to Daily Dot and provided sample data for verification. Researchers confirmed its authenticity by cross-referencing the records against LinkedIn and other social media profiles. The stolen database reportedly contains more than four million unique email addresses.
Scholastic's platform is woven into the daily lives of parents, teachers, and school administrators — people who register accounts to access curriculum materials and classroom resources. Parents provide detailed family information; teachers link their school affiliations. The breach therefore cuts across the entire education ecosystem, touching families, educators, and institutional administrators alike.
Parasocial described the intrusion as entertainment rather than a targeted campaign, and stated the data would not be released publicly — though the hacker noted that server-side export limits were the only barrier to extracting even more. In pointed criticism, Parasocial highlighted Scholastic's failure to implement multi-factor authentication, a standard safeguard that would have made the breach significantly harder to execute.
Scholastic responded with a brief statement affirming its commitment to data security and confirming an ongoing investigation, but offered no timeline, no breach date, and no plan for notifying affected users. For the millions of parents, teachers, and administrators now exposed, the hacker's promise of restraint is the only barrier standing between their personal information and the broader underground marketplace — a precarious position for those who simply wanted to help children read.
Scholastic, the publishing giant behind Harry Potter, The Hunger Games, and Goosebumps, has confirmed it is investigating a cyberattack that exposed sensitive information on roughly eight million people. A hacker using the alias Parasocial claims to have broken into the company's employee portal and stolen names, email addresses, phone numbers, and postal addresses belonging to US customers and education contacts—the latter group numbering around a million of the total compromised records.
The breach came to light when Parasocial contacted Daily Dot and provided researchers with sample data from the stolen database. Verification proved straightforward: the researchers cross-referenced the information against LinkedIn profiles and other social media accounts, confirming the data's authenticity without needing to contact the affected individuals directly. The database itself contains more than four million unique email addresses, according to the outlet's reporting.
Scholastic's platform serves parents, teachers, and school administrators who create accounts to access educational materials and resources. Parents entering their information must provide full details about their children; teachers register their school affiliations. This structure means the exposed data touches a broad swath of the education ecosystem—families relying on Scholastic's curriculum materials, educators using the platform for classroom support, and school officials managing institutional accounts.
When reached by Daily Dot, Parasocial characterized the breach as entertainment rather than a targeted attack with financial or political motives. The hacker stated they would not be releasing the stolen archives publicly, though they claimed they could have extracted even more data had the server's export limits not stopped them. In a message attributed to Parasocial and cited by the outlet, the attacker directed criticism at Scholastic's security posture, specifically calling out the absence of multi-factor authentication—a standard security measure that would have made unauthorized access significantly harder.
Scholastic responded with a brief statement to Daily Dot, saying the company "takes the security of our customers' data seriously with extensive systems and protocols" and is investigating the claim thoroughly. The statement offered no timeline for the investigation, no details about when the breach occurred, and no information about what steps the company is taking to notify affected users or prevent similar incidents.
The exposure affects millions of parents who have registered their children on Scholastic's platform, teachers who use the service for classroom materials, and administrators managing school accounts. Each of these individuals now faces potential risks including phishing attacks, identity theft, and unwanted contact—consequences that flow directly from the security failure Parasocial highlighted. The hacker's decision not to publicly release the data offers some protection, but the information remains in unauthorized hands, and there is no guarantee it will not be sold or shared on underground forums in the future.
Citas Notables
Don't let your customers take the hit for your security failures, use MFA— Parasocial, the hacker, to Daily Dot
Scholastic takes the security of our customers' data seriously with extensive systems and protocols, and are investigating this claim thoroughly— Scholastic representative
La Conversación del Hearth Otra perspectiva de la historia
Why would someone break into Scholastic specifically? It's not a financial institution or a government agency.
Because it's a soft target with valuable data. Eight million records of parents and teachers—that's a goldmine for anyone wanting to build mailing lists, launch phishing campaigns, or just prove they can do it. And Scholastic's security apparently wasn't keeping pace with the value of what they were protecting.
The hacker said it was just for fun. Do you believe that?
I think it's partly true and partly posturing. Breaking in is the thrill. But the fact that they reached out to journalists, provided samples, and left a message about security failures suggests they also wanted to send a message—to shame Scholastic into fixing things.
Multi-factor authentication. That's the thing the hacker called out. How big a deal is that?
It's enormous. It's the difference between a password being enough to get in and needing a second verification—usually from your phone. Without it, one stolen password opens the door. With it, you need two things. It's not perfect, but it's the baseline now.
Scholastic said they have "extensive systems and protocols." If that's true, how did this happen?
Either those systems weren't actually in place, or they weren't being enforced properly. An employee portal is often where companies are weakest—less scrutiny than the customer-facing side. One weak link, one person reusing a password, one unpatched server, and you're in.
What happens to those eight million people now?
They wait. They watch their email and credit reports. They hope Scholastic eventually tells them what happened and when. And they hope the hacker was telling the truth about not selling the data. But there's no guarantee.