PowerSchool: 20-Year-Old Hacker Compromises Millions of Student Records Across US Schools

Matthew Lane, a 20-year-old former college student, has admitted to federal charges for orchestrating one of the largest cyberattacks ever to target the American education sector. The breach of PowerSchool, a student information platform serving over 50 million students globally, exposed personally identifiable information spanning thousands of K-12 and collegiate school districts. Lane was arrested by the FBI and has been sentenced to federal prison, closing a multi-year investigation into credential-based intrusions against educational institutions.

What Happened

Lane systematically targeted PowerSchool, the dominant student information system used by school districts and universities across the United States. By exploiting weak authentication protocols and credential-based vulnerabilities, he gained administrative-level access to the platform, allowing him to move laterally through interconnected school networks without triggering traditional security controls. Federal prosecutors described the attack not as a sophisticated zero-day exploit but as a persistent, methodical abuse of known security gaps that educational institutions had failed to remediate. Lane reportedly characterized his own activity as a compulsive "addiction" to finding system vulnerabilities, though the scope and duration of the intrusion suggest deliberate, sustained effort well beyond casual exploration.

What Was Taken

The breach exposed a sweeping volume of sensitive student data, including full names, dates of birth, home addresses, Social Security numbers, academic grades, and disciplinary records. The affected population ranges from kindergarteners to college seniors, meaning many victims are minors with no existing credit history and no practical means of detecting identity fraud for years. Exfiltrated data was reportedly indexed and sold on underground forums, compounding the long-term risk. The combination of SSNs and biographical details for millions of minors creates an especially dangerous dataset: fraudulent credit lines and synthetic identities can be built against children who will not discover the damage until they apply for their first loan or job.

Why It Matters

This case is a defining moment for education-sector cybersecurity. Schools have long been classified as soft targets due to chronically underfunded IT departments, sprawling user bases, and inconsistent security standards across districts. The PowerSchool breach confirms that threat actors do not need nation-state tooling to cause catastrophic damage in this vertical. A single individual with persistence and basic credential exploitation techniques compromised a platform trusted by tens of thousands of institutions. For defenders, the incident underscores that the education sector's attack surface is not theoretical but actively and repeatedly exploited. It also sets a federal sentencing precedent for young adults involved in large-scale data theft, signaling that age will not be a mitigating factor when the impact reaches this scale.

The Attack Technique

Lane's approach relied on credential harvesting and exploitation of weak authentication controls within PowerSchool's infrastructure. Rather than deploying custom malware or leveraging zero-day vulnerabilities, he used legitimate administrative credentials to authenticate directly into school systems. Once inside, he employed a "living off the land" methodology, using built-in tools and access rights to navigate networks and exfiltrate data without raising alarms. This technique is particularly effective in environments where multi-factor authentication is not enforced and where anomalous administrative activity is not monitored. The attack chain was low-sophistication but high-impact, a pattern increasingly common among younger threat actors operating within loosely organized peer groups on platforms like Discord.

The Broader Threat: Gen Z Hacker Cells

Lane's case is part of a wider federal investigation into what law enforcement has termed "Minor Mayhem," a pattern of young, often teenage or early-twenties hackers conducting significant intrusions from personal devices. These actors are not state-sponsored. They are motivated by curiosity, peer validation in online communities, and financial gain from selling stolen data. Their operational security is often poor, which aids in eventual attribution and arrest, but the damage they inflict before apprehension can be enormous. The PowerSchool breach demonstrates that organizational risk models must account for this threat profile: low-resource actors exploiting low-hanging vulnerabilities at massive scale.

What Organizations Should Do

Enforce multi-factor authentication everywhere. Any system handling student PII must require MFA for all administrative and privileged accounts, with hardware security keys as the preferred second factor.
Audit credential hygiene aggressively. Rotate administrative passwords on a scheduled basis, eliminate shared credentials, and deploy credential monitoring to detect compromised accounts appearing on dark web marketplaces.
Implement behavioral analytics on privileged accounts. Monitor for anomalous login patterns, bulk data exports, and lateral movement that deviates from normal administrative workflows.
Segment and limit administrative access. Apply least-privilege principles so that a single compromised credential cannot unlock access to records across an entire district or institution.
Establish an incident response plan specific to student data. Schools must have a tested playbook for mass parental notification, forensic investigation, and coordination with federal law enforcement in the event of a breach.
Demand vendor accountability. Districts should require contractual security commitments from SIS vendors including mandatory penetration testing, SOC 2 compliance, and transparent breach notification timelines.

Sources: Matthew Lane: The 20-Year-Old Behind the PowerSchool Breach