One Cyber attack and data breach at US edtech giant PowerSchool The December 28 discovery threatens to expose the personal data of millions of students and teachers.
PowerSchool told customers of the compromise of the subcontractor's account and the breach of connection. TechCrunch learned this week of a separate security incident involving a PowerSchool developer who was infected with malware from a computer that stole their company credentials prior to the cyber attack.
The subcontractor mentioned by PowerSchool and the engineer identified by TechCrunch are unlikely to be the same person. The theft of the engineer's credentials has raised further doubts about security practices at PowerSchool, which was bought by private equity firm Bain Capital. A $5.6 billion deal was made last year..
PowerSchool has publicly shared few details about its cyber-attack; Affected school districts have since notified their students and teachers about the data breach. Its school records software is used by 18,000 schools to support more than 60 million students across North America, according to the company's website.
in the A communication shared with its clients last week As seen by TechCrunch, PowerSchool confirmed that unnamed hackers stole “sensitive personal information” from students and teachers, including some students' Social Security numbers; steps, Includes demographics and some medical information. PowerSchool hasn't said how many users were affected by the cyberattack, but several school districts affected by the breach told TechCrunch their records. Hackers stole “all” of their historical student and teacher information..
An employee at one of the affected school districts told TechCrunch that they had highly sensitive information about students in the breach. The person gave examples such as information about parents' access to children, including restraining orders, and information about when certain students need to take their medication. Other people at the affected school districts told TechCrunch that the stolen data depended on what individual schools put into their PowerSchool systems.
According to sources who spoke to TechCrunch, PowerSchool told customers that the hackers broke into the company's systems using a single maintenance account associated with a technical support contractor and PowerSchool. on its Event page Launched this week, PowerSchool said it had identified unauthorized access to one of its customer support portals.
PowerSchool spokeswoman Beth Keebler confirmed Friday that the subcontractor's account used to access the customer support portal was not protected by a security feature widely used to protect accounts from hackers linked to password theft. PowerSchool says MFA is now available.
PowerSchool is working with incident response firm CrowdStrike to investigate the breach, and a report is expected to be released as early as Friday. When reached by email, CrowdStrike deferred comment to PowerSchool.
The company “cannot confirm the accuracy” of our reporting, Tusler told TechCrunch. “CrowdStrike's initial analysis and findings show no system-layer access or malware, virus or backdoor associated with this incident,” Keebler told TechCrunch. Whether PowerSchool received the report from CrowdStrike, He did not say whether he plans to make his findings public.
PowerSchool is continuing its review of the excluded data and did not provide an estimate of the number of students and teachers whose data was affected.
PowerSchool passwords stolen by malware
According to a source with knowledge of the cybercrime operations, logs obtained from the computer of an engineer working at PowerSchool show that their device was heavily hacked by LummaC2. Stealing malware. Before the cyber attack.
It is not known exactly when the malware was installed. The passwords were stolen from the engineer's computer in January 2024 or earlier, the source said.
Infostealers have become an increasingly effective way to break into companies, especially with the rise of remote and integrated work, which often allows employees to access work accounts. As Wired explained.This creates opportunities for malware to sneak onto someone's home computer, but ends up with corporate login credentials because the employee is logged into their work systems.
Engineer's passwords in cache of LummaC2 logs seen by TechCrunch Includes browsing history from two of their web browsers and a file containing identifying technical information about the engineer's computer.
Some of the stolen credentials appear to be related to PowerSchool's internal systems.
The logs show that the malware extracted the engineer's saved passwords and browsing history from their Google Chrome and Microsoft Edge browsers. The malware then uploaded a cache of logs, including the engineer's stolen credentials, to servers controlled by the malware's operator. From there, the credentials were shared with the broader online community, including cybercrime-focused Telegram groups where corporate account passwords and credentials are sold and traded among cybercriminals.
Malware archives include PowerSchool's source code repositories; its Slack messaging platform; It includes its Jira instance and other internal systems for bug and issue tracking. The engineer's search log also showed extensive access to PowerSchool's account on Amazon Web Services, which included full access to the company's AWS-hosted S3 cloud storage servers.
The engineer is not being named because there is no evidence that they did anything wrong. As We have been aware of violations in similar situations.Companies are ultimately responsible for implementing and enforcing security policies that prevent intrusions resulting from employee identity theft.
When asked by TechCrunch, PowerSchool's Keebler said that the person who used the compromised credentials to breach PowerSchool's systems did not have access to AWS and that PowerSchool's internal systems, including Slack and AWS, are protected by MFA.
The engineer's computer also stored several credentials of other PowerSchool employees, which TechCrunch saw. The credentials are the company's Slack, It appears to allow similar access to source code repositories and other internal company systems.
Of the dozens of PowerSchool credentials seen in the logs, many are short and basic, with some consisting of only a few letters and numbers. According to Have I Been Pwned, many of the account passwords used by PowerSchool match credentials that have already been compromised in previous data breaches. Updating the list of stolen passwords..
TechCrunch has not tested stolen usernames and passwords on any PowerSchool systems. Doing so is against the law. Therefore, It cannot determine whether any of the credentials are currently in use or protected by MFA.
PowerSchool said it could not comment without seeing the passwords. (TechCrunch has withheld credentials to protect the identity of the hacker's engineer.) The company said this. have robust protocols for password security, including minimum length and complexity requirements; Passwords are rotated according to NIST recommendations. After the breach, PowerSchool “performed a full password reset and tighter password and access controls for all PowerSource customer support portal accounts,” the company said, referring to the customer support portal.
PowerSchool says it uses single sign-on technology and MFA for employees and contractors. The company said contractors have access to laptops or its virtual desktop environment with security controls such as anti-malware and a VPN to connect to the company's systems.
As affected school districts continue to assess how much personal information of their current and former students and staff was stolen, questions remain about PowerSchool's handling of the data breach and subsequent incident.
Employees at school districts affected by the PowerSchool breach told TechCrunch that administrators are relying on crowdsourced efforts from other school districts and customers to scour PowerSchool log files for evidence of data theft.
At the time of publication, PowerSchool's documentation of the infringement will not be accessible without customer login to the company's website.
Reported by Carly Page..
Zack Whittaker can be reached securely on Signal and WhatsApp at +1 646-755-8849 and Carly Page can be reached securely on Signal at +44 1536 853968. You can share documents securely through TechCrunch. SecureDrop.