As noted on Reddit, PowerSchool appears to have been one of many victims of the Salesloft Drift/Salesforce campaign by Scattered LAPSUS$ Hunters. Like many other victims, PowerSchool did not disclose the incident publicly, but they did, however, post a notice in their closed users group. The notice was removed shortly thereafter, and several people have reported difficulty getting PowerSchool to respond to inquiries about it.
The following is the text of the announcement as it appeared in the group:
On August 23rd, PowerSchool was notified that we were affected by a security incident involving the Drift app, published by Salesloft. As a result of this incident, a threat actor gained unauthorized access to the Salesforce database, which we use for customer support and internal case management. This database contains customer contact information, support case metadata, and the contents of support case communications.
At this time, we have no evidence that any PowerSchool infrastructure or production systems outside of Salesforce were affected by this incident; all other products and systems appear to remain fully secure and uncompromised.
The main motivation for the attacker appears to have been to steal credentials, per published information on the incident by Salesloft. If you suspect that your organization may have included credentials in a support case, we recommend that you review your support cases and change any credentials you find.
As a security best practice, do not send credentials to PowerSchool or any other vendor in a support case.
We are committed to transparency and will continue to provide updates as we receive any new information. If you have questions or need assistance, please reach out to your Customer Success Manager or Support contact directly.
— PowerSchool Security Team
Promises Made
As part of its negotiations with PowerSchool over the 2024 data breach, ShinyHunters had assured PowerSchool that if PowerSchool paid, their data would be deleted and they would never be attacked again.
In May 2025, someone claiming to be ShinyHunters attempted to extort a few PowerSchool clients, using data that had been acquired during the 2024 hack. When DataBreaches contacted ShinyHunters about the incident, he replied that he had not authorized the attack and an affiliate hadn’t listened to him about not double-dipping. ShinyHunters followed up by reportedly deleting the data and emailing an apology to PowerSechool with an offer to refund some of their 2024 payment. The email was shown to DataBreaches at the time, and DataBreaches was subsequently told that PowerSchool had responded and accepted the apology.
With this new breach, DataBreaches reached out to ShinyHunters yesterday and asked him if his promise not to attack PowerSchool was still in effect. He agreed that the promise was still in effect, and that he had not contacted PowerSchool to attempt to ransom them. He also indicated he would delete the data. In a statement provided to DataBreaches today, he wrote:
PowerSchool was affected by our Salesloft Drift app campaign (UNC6395) but it was not specifically targeted.
Near a thousand of companies integrate Salesloft which integrates Salesforce SaaS services in their backend. Our targets were the IT/tech, cybersec, etc. industries and the broad scope of Salesloft customers, who ever came first in the list were hit, PowerSchool was a complete coincidence.
Nobody but me HAD the data, I have deleted the data and PowerSchool will not be targeted with intent again as we promised them earlier this year. They will not be receiving any new/further ransom demand by us.
DataBreaches emailed PowerSchool to inform them of ShinyHunter’s statement and to ask if they had any comment, but no reply was immediately received.
DataBreaches does not know if PowerSchool is aware that at on September 30, members of Scattered LAPSUS$ Hunters posted in their Telegram channel that they were going to encrypt PowerSchool. Scattered LAPSUS$ Hunters should honor the commitment its group made to PowerSchool and not even threaten to attack it.