A school data breach is raising serious concern in Mexico: over one million students could be at risk following a hack of Servoescolar, a platform used by at least 1,600 schools nationwide to manage all types of academic and personal information.
It has been confirmed that thousands of student accounts are being offered in cybercriminal groups. These groups, often operating on platforms like Telegram or SimpleX, are requesting direct access to Servoescolar accounts. To streamline the process, the attackers are using automated bots (such as one known as Akula) that deliver “samples” with up to 100 real passwords from different schools.
The most alarming aspect is that anyone who wants access to more data simply has to pay to receive additional credential packages. This entire system enables malicious actors to commit fraud, impersonate identities, or manipulate school records, directly affecting students, teachers, and entire families.
Real Access to Accounts with Highly Sensitive Data
Upon reviewing the incident, a highly alarming discovery was made: at least 50 active Servoescolar accounts were fully accessible. This means that anyone with those credentials could log in without restrictions to the real profiles of currently enrolled students.
Inside these accounts, very sensitive information was found, including:
-
Full names of students and their parents or guardians
-
Date and place of birth
-
Students' CURP (Unique Population Registry Code)
-
Exact address and postal code
-
Cell phone numbers and email addresses of both students and their families
-
Enrollment number, class group, and academic program or curriculum
-
Complete academic history, including grades
-
Current photographs of the students
-
Account statements with details of payments, monthly fees, and any outstanding balances
-
Financial information related to tuition payments
In short, everything someone would need to steal an identity or commit fraud was there—available with just a few clicks. This situation threatens not only the privacy but also the safety of thousands of students and their families.
Leaked Data Includes CURP, Addresses, Student Photos, Payment Information, and Grades
From Children to University Students: The Scope of the Problem
What’s most concerning about this case is that the risk is not limited to a single educational level. Servoescolar is a platform used by both basic education schools (such as preschool, elementary, and middle schools) and higher education institutions, including private universities and postgraduate schools. This means the leaked data affects students of all ages—from very young children to young adults in professional stages.
Among the institutions known to use Servoescolar are universities such as Vizcaya de las Américas, Kino, Pontificia de México, La Salle Pachuca, and Cuauhtémoc de Guadalajara, as well as schools and institutes like Margil, Oriente, Hispano Inglés, Cervantes, Colegio España, Del Valle, Tierra Nueva, IDENAP, Prepa Lorentz, Universidad del Golfo de California, Nuevos Horizontes Global School, Pablo de Anda, and the UIEST system, among many others.
According to analyses by digital intelligence platforms such as White Intel and Dehashed, it is estimated that at least 15,000 user accounts have already been directly compromised. And it doesn’t stop there: the bots handling this data remain active and continue to be fed with new credentials, so the number is likely to keep rising in the coming days.
Infostealers Played a Key Role in Stealing School Passwords (Source: White Intel)
Read more: Top 10 Most Active Forums on the Deep Web and Dark Web
The Major Problem: Virtually No Security Barriers
One of the platform’s most critical flaws is the lack of real safeguards against unauthorized access. There is no two-factor authentication (2FA), no alerts for suspicious logins, and no restrictions based on unusual geographic locations. In many cases, just having a leaked username and password is enough to log in undetected. It’s like leaving the door open with a sign that says “come on in.”
How Do Hackers Obtain School Passwords?
These leaks originate from various sources, but two common methods stand out:
-
Spyware (infostealers): Many students, parents, or school staff unknowingly have malicious software on their computers or phones that automatically steals saved passwords from browsers or apps.
-
Leaked password combos: Massive lists known as combolists circulate on the dark web, containing millions of emails with reused passwords. Hackers test them on different platforms until they find working combinations.
With automated tools like the Akula bot, hackers can then extract access credentials specifically for platforms like Servoescolar and sell them to other criminal groups. It's an entire digital market built on stolen data.