A threat actor has listed an allegedly exfiltrated database containing over 4 million student records from the Los Angeles Unified School District (LAUSD) and its online learning partner Edgenuity for sale on a monitored dark web forum. According to Brinztech intelligence published on 19 April 2026, the data was sourced from a compromised Snowflake cloud data warehouse instance. The attacker is demanding a $150,000 USD ransom with a strict seven-day deadline, threatening to publicly leak the minor PII, health records, and authentication data if payment is not received.

What Happened

Cybersecurity analysts monitoring underground hacker forums identified a high-priority listing advertising an exfiltrated student database tied to LAUSD and Edgenuity. The seller claims the dataset was lifted from a Snowflake cloud warehousing instance used to centralize student academic, administrative, and health data across the district's digital learning ecosystem. The listing is structured as a dual-purpose extortion and sale operation: the threat actor has issued a seven-day ultimatum, after which the full dataset will be released publicly if the six-figure ransom is not paid. The activity is classified as a Tier 0 data exposure event given the scale, sensitivity, and minor-status of the affected population.

What Was Taken

The compromised dataset represents a catastrophic cross-section of sensitive minor PII and institutional records. Reported contents include:

• Over 4 million K-12 student records with full names, family names, physical addresses, and core demographic identifiers.
• Highly sensitive medical telemetry, including specific student disability details and special education categorizations.
• Comprehensive academic and disciplinary histories covering exact grades, GPAs, performance scoring, and internal discipline records.
• Financial details alongside direct online login credentials belonging to both students and their parents.

The combination of identity, health, academic, and authentication data in a single dataset makes this corpus unusually weaponizable for downstream fraud, social engineering, and account takeover campaigns.

Why It Matters

This incident represents one of the most severe K-12 data exposures on record and illustrates a compounding risk pattern in the education sector. Minors whose identities, medical conditions, and special-education statuses are publicly leaked face decades of downstream exposure to synthetic identity theft, credit fraud, and targeted harassment before they reach adulthood. The inclusion of parent credentials extends the blast radius into family financial and email accounts. For defenders, the breach is also a stark signal that educational cloud supply chains, particularly shared SaaS learning platforms feeding centralized data warehouses, have become high-value targets operating with enterprise-scale data volumes but often without enterprise-grade controls.

The Attack Technique

The threat actor claims the data was exfiltrated from a Snowflake cloud data warehousing instance tied to the Edgenuity learning platform. While full technical details have not been disclosed, the attack vector is consistent with the broader pattern of Snowflake-targeted intrusions observed across 2024 and 2025, in which adversaries abuse stolen or infostealer-harvested credentials to authenticate to customer Snowflake tenants lacking enforced multi-factor authentication and network allow-listing. Once inside, attackers typically enumerate accessible databases and bulk-export high-value tables using legitimate query tooling, leaving minimal forensic footprint at the cloud provider layer. The centralization of LAUSD and Edgenuity student data in a single warehouse appears to have turned one credential compromise into a four-million-record exfiltration.

What Organizations Should Do

Education sector organizations, particularly those integrated with third-party learning platforms, should take the following immediate steps:

1. Enforce mandatory MFA on all Snowflake accounts and any cloud data warehouse tenant, including service and integration accounts.
2. Apply network policies and IP allow-listing to restrict Snowflake and SaaS data platform access to sanctioned corporate networks and identity providers.
3. Audit all third-party learning, assessment, and student information system vendors for data minimization, encryption at rest, and credential hygiene practices.
4. Rotate credentials and API tokens for any staff, student, or parent accounts potentially exposed via the Edgenuity platform and hunt for infostealer infections across managed endpoints.
5. Review Snowflake query history and access logs for anomalous bulk exports, large result sets, and off-hours authentication from unfamiliar ASNs.
6. Coordinate breach notification, law enforcement engagement, and student/parent communications in accordance with FERPA, state student privacy laws, and applicable breach disclosure statutes.

Sources: 4M LAUSD & Edgenuity (Snowflake) Student Database Sale