Pearson Breach Exposes Credential Hygiene Gaps

UK-based education giant Pearson confirmed that an unauthorized actor infiltrated its systems and exfiltrated primarily legacy corporate and customer data, prompting a forensic-led investigation and law enforcement involvement.  Traced back to January 2025, the intrusion began when threat actors exploited an exposed GitLab Personal Access Token embedded in a public .git/config file, granting access to repositories containing hard-coded cloud credentials.  Over the following months, those credentials were used to siphon terabytes of data from both on-premises networks and cloud environments—AWS, Google Cloud, Snowflake, and Salesforce CRM—including customer details, financial records, support tickets, and proprietary source code, potentially impacting millions of individuals. Pearson reports no employee records were affected and has since deployed enhanced security monitoring and strengthened authentication controls. However, the company has not disclosed whether a ransom was paid or provided a definitive count of affected customers, underscoring the imperative for rigorous credential management and code-repository hygiene across all digital learning platforms.

Read the full story here.