Datacus extractus: Harry Potter publisher breached without resorting to magic
Infosec in brief Hogwarts doesn’t teach an incantation that could have saved Harry Potter publisher Scholastic from feeling the power of an online magician who made off with millions of customer records - except perhaps the wizardry of multifactor authentication.
Scholastic, publisher of the US editions of the Harry Potter series and The Hunger Games, along with other children's book series like The Magic School Bus and Goosebumps, was added to the Have I Been Pwned database last week after it emerged a self-described "furry" hacker - not associated with the other furry hackers, they claim - breaching an employee portal and exfiltrating about eight million items of data.
The Daily Dot, which spoke to the hacker who identified themselves by the handle "Parasocial," said they gained access to the employee portal after stealing login credentials from a Scholastic employee whose system was infected with malware.
The data Parasocial stole, which was reviewed by the Daily Dot, contained 4,247,768 unique email addresses and a mix of names, phone numbers and home addresses for US-based customers. More than one million of the compromised records belonged to educational contacts - (i.e., teachers and administrators), while the rest reportedly belonged to parents. The Daily Dot reported that parents are prompted to enter the names of their children when they register with the publisher.
