DreamUp 2026 Data Breach

DreamUp Space Education Company Breach (2026): 1.7 Million Records Including Home Address Exposed via LAPSUS$ Extortion Group | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

"new LAPSUS$" (distinct from original Arion Kurtaj group per SpyCloud)MisconfigurationEducationEmail AddressFull NamePhone NumberPhysical Address
High SeverityWebsite / service breach

DreamUp Space Education Company Breach (2026): 1.7 Million Records Including Home Address Exposed via LAPSUS$ Extortion Group

Space science education and outreach company.

Verified by ObscureIQ Intelligence
65/100Breach Risk Index
8Data Value
80Market Recency
46dSince Breach

Breach Intelligence Summary

Entity: DreamUp · Actor: "new LAPSUS$" (distinct from original Arion Kurtaj group per SpyCloud) · Sources: 2 references
Attack: Misconfiguration
Profile: Platform · Education and academic services · Educational institution · Global
Timeline: Breach (2026-03-01) · Indexed (Mar 12, 2026) · Year (2026)
Exposure: 1.7M records · 4 fields: Email Address, Full Name, Phone Number, Physical Address
Status: Reported

Executive Summary

DreamUp, a U.S.-based space science education and outreach company, was listed on March 1, 2026 by an extortion group operating under the 'LAPSUS$' name on its dark-web data leak site. Security researchers and threat-intelligence analysts including SpyCloud have noted that this 2026 LAPSUS$ group is distinct from the original LAPSUS$ gang led by Arion Kurtaj that was active in 2021 and 2022, and that the connection between the two appears limited to shared branding and values rather than personnel continuity. The group's leak-site posting framed DreamUp as a ransomware-style victim, but the public posting did not include technical indicators of encryption or operational disruption, and DreamUp has not publicly confirmed or denied the claim. The breach affected approximately 1.7 million email-address entries based on DataBreach.com's parsing of the leaked files, alongside approximately 213,000 phone numbers, 224,000 street addresses, and 7,600 names. The relatively small ratio of names and contact-detail records to email-address entries suggests the leaked data may primarily represent a marketing or outreach contact list rather than a comprehensive user-account database, with most records consisting of email addresses with limited associated identity information. For affected individuals, the practical risk profile is moderate and primarily concerns phishing and contact-data exposure rather than credential or financial-fraud risk. The combination of email address with phone number, street address, or name supports targeted phishing referencing space-education programs, school partnerships, or student research opportunities. Recipients of the leaked data may receive education-themed phishing campaigns referencing real DreamUp programs or partner institutions. Affected individuals should remain alert to unsolicited contact referencing DreamUp, space-education programs, or student research opportunities, and should treat any communication requesting financial information, parental-consent forms, or login credentials with caution. Parents whose children's contact information may have been exposed through school-program enrollment should be alert to potential phishing campaigns targeting student or parent contacts.

ObscureIQ assessment: Exposure enables phishing, identity theft, and education-themed scams. Student and enrollment data may also reveal minors, academic status, or school affiliation.

Breach Impact

The institutional impact on DreamUp depends on the eventual scope and authenticity of the leaked data, which has not been independently verified beyond DataBreach.com's parsing of the files posted by the threat actor. The threat actor's leak-site framing of DreamUp as a 'ransomware-style' victim has not been corroborated with technical indicators of encryption or operational disruption, suggesting the incident may be primarily data exfiltration rather than encryption-based ransomware. As an educational program operator working with U.S. K-12 schools and universities, DreamUp faces FERPA implications if student data was exposed and potential parental-consent disclosure obligations. The reputational impact concentrates within the space-education and STEM-outreach sector, where DreamUp has been a leading commercial-space education partner.

About DreamUp

DreamUp is a U.S.-based space science education and outreach company that operates programs connecting K-12 schools, universities, and individual student researchers with space-based research opportunities including suborbital and low-Earth-orbit experiment platforms. The company partners with operators of commercial-space and government-space research platforms to enable student-designed experiments to be conducted in microgravity environments aboard the International Space Station and on suborbital flights. As an education-focused operator coordinating multi-institutional student research, DreamUp maintains substantial contact-record data including student, teacher, parent, school, and partner-institution information for enrollment management, experiment logistics, parental consent, and event coordination.

Why They Hold Your Data

Education platforms collect student identity, contact details, enrollment records, course participation, and account activity tied to institutional or online learning workflows.

Recent Developments

DreamUp was listed by the 'new LAPSUS$' extortion group on March 1, 2026 on the group's dark-web data leak site. Security researchers and breach-tracking publications including SpyCloud have noted that the 2026 LAPSUS$ group operating these breach claims appears to have no apparent connection to the original LAPSUS$ gang led by Arion Kurtaj (which targeted Microsoft, Nvidia, Samsung, Okta, and others in 2021 to 2022) beyond shared values and branding choices. The new group is associated with the breached.st BreachForums successor site and has begun posting large breaches from major companies including a major pharmaceutical company and an AI-based talent recruiting tool. DreamUp has not publicly detailed the original incident or the specific vulnerability that enabled the compromise. DataBreach.com indexed and parsed the leaked files in mid-March 2026.

Data Points Exposed

4 verified field types
Email Address
Full Name High
Phone Number
Physical Address High

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:High
Primary downstream threats:
  • SIM swap attacks where phone numbers are present
  • Targeted phishing campaigns using exposed email addresses
  • Doxxing risk from physical address exposure
Threat vectors:
  • Phishing, credential stuffing & account takeover
  • Name-based social engineering
  • SIM swapping, vishing & SMS phishing
  • Physical stalking, mail fraud & identity verification
  • Geolocation & property fraud

Threat Actor: "new LAPSUS$" (distinct from original Arion Kurtaj group per SpyCloud)

"new LAPSUS$" (distinct from original Arion Kurtaj group per SpyCloud)
Misconfiguration

Attribution and method are based on available breach intelligence. Reported attack vector: Misconfiguration.

Recommended Actions

If you believe your information may be included:

Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the DreamUp breach?

DreamUp, a U.S.-based space science education and outreach company, was listed on March 1, 2026 by an extortion group operating under the 'LAPSUS$' name on its dark-web data leak site. Security researchers and threat-intelligence analysts including SpyCloud have noted that this 2026 LAPSUS$ group…

What data was exposed?

Verified fields include Email Address, Full Name, Phone Number, Physical Address.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
DataBreach.com
Record & field corroboration
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation