Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
A cyberattack and data breach at US edtech giant PowerSchool which was discovered on December 28 threatens to expose the private data of tens of millions of schoolchildren and teachers.
PowerSchool told customers that the breach was related to the compromise of a subcontractor’s account. TechCrunch learned this week of a separate security incident, involving a PowerSchool software engineer, whose computer was infected with malware that stole his company credentials prior to the cyber attack.
It is unlikely that the subcontractor cited by PowerSchool and the engineer identified by TechCrunch are the same person. The theft of the engineer’s credentials raises further questions about security practices at PowerSchool, which was acquired by private equity giant Bain Capital. in a $5.6 billion deal last year.
PowerSchool has shared only a few details publicly about its cyberattack as affected school districts begin to notify their students and teachers of the data breach. The company’s website says its school records software is used by 18,000 schools to support more than 60 million students in North America.
In a communication shared with its customers last week and seen by TechCrunch, PowerSchool confirmed that unnamed hackers stole “sensitive personal information” about students and teachers, including some students’ Social Security numbers, grades, demographics and medical information. PowerSchool has not yet said how many customers are affected by the cyber attack, but several school districts affected by the breach told TechCrunch that their logs show the hackers stole “all” of their historical student and teacher data.
A person who works at an affected school district told TechCrunch that they have evidence that highly sensitive information about students was leaked in the breach. The person gave examples such as information about parental access rights to their children, including restraining orders, and information about when certain students need to take their medication. Other people at the affected school districts told TechCrunch that the stolen data would depend on what each individual school added to their PowerSchool systems.
According to sources who spoke with TechCrunch, PowerSchool told its customers that hackers broke into the company’s systems using a single compromised maintenance account associated with a technical support subcontractor to PowerSchool. On his incident page that launched this week, PowerSchool said it identified unauthorized access to one of its customer support portals.
PowerSchool spokeswoman Beth Keebler confirmed to TechCrunch on Friday that the subcontractor account used to breach the customer support portal was not protected with multi-factor authentication, a widely used security feature that can help to protect accounts against hackers related to password theft. PowerSchool said the MFA was launched.
PowerSchool is working with incident response firm CrowdStrike to investigate the breach and a report is expected to be released on Friday. When reached by email, CrowdStrike referred comment to PowerSchool.
Keebler told TechCrunch that the company “cannot verify the accuracy” of our reports. “CrowdStrike’s initial analysis and results show no evidence of system-layer access associated with this incident or any malware, viruses or backdoors,” Keebler told TechCrunch. PowerSchool did not say whether it had received the report from CrowdStrike, nor would it say whether it planned to publicly release its findings.
PowerSchool said its review of the exfiltrated data is ongoing and did not provide an estimate of the number of students and teachers whose data was affected.
PowerSchool passwords stolen by malware
According to a source with knowledge of cybercriminal operations, logs obtained from the computer of an engineer working for PowerSchool show that his device was hacked by the prolific LummaC2. infostealing malware before the cyber attack.
It is unclear exactly when the malware was installed. The source said the passwords were stolen from the engineer’s computer in January 2024 or earlier.
Infostealers have become an increasingly effective way for hackers to break into companies, especially with the rise of remote and hybrid work, which often allows employees to use their personal devices to access company accounts. work As Wired explainsThis creates opportunities for infostealing malware to install on someone’s home computer, but also end up with credentials capable of corporate access because the employee was still logged into their work systems.
The cache of LummaC2 logs, seen by TechCrunch, included the engineer’s passwords, browsing history from two of his web browsers, and a file containing identifiable and technical information about the engineer’s computer.
Some of the stolen credentials appear to be associated with PowerSchool’s internal systems.
The logs show that the malware extracted the engineer’s saved passwords and browsing histories from his Google Chrome and Microsoft Edge browsers. The malware uploaded the cache of logs, including the engineer’s stolen credentials, to servers controlled by the malware’s operator. From there, the credentials were shared with a wider online community, including closed Telegram groups focused on cybercrime, where corporate account passwords and credentials are sold and traded among cybercriminals.
The malware logs contain engineer passwords for PowerSchool’s source code repositories, its Slack messaging platform, its Jira instance for bug and issue tracking, and other internal systems. The engineer’s browsing history also shows that they had broad access to PowerSchool’s account on Amazon Web Services, which included full access to the company’s AWS-hosted S3 cloud storage servers.
We are not naming the engineer, as there is no evidence that they have done anything wrong. As we have noticed violations in similar circumstances beforeit is ultimately the responsibility of companies to implement defenses and enforce security policies that prevent intrusions caused by the theft of employee credentials.
When asked by TechCrunch, PowerSchool’s Keebler said that the person whose compromised credentials were used to breach PowerSchool’s systems did not have access to AWS and that PowerSchool’s internal systems — including Slack and AWS — are protected with MFA. .
The engineer’s computer also stored multiple sets of credentials belonging to other PowerSchool employees, which TechCrunch has seen. The credentials appear to allow similar access to the company’s Slack, source code repositories and other internal company systems.
Of the dozens of PowerSchool credentials we saw in the logs, many were short and basic in complexity, with some consisting of just a few letters and numbers. Many of the account passwords used by PowerSchool match credentials that were already compromised in previous data breaches, according to Have I Been Pwned’s update the list of stolen passwords.
TechCrunch has not tested stolen usernames and passwords on any PowerSchool system, as doing so would be illegal. As such, it cannot be determined if any of the credentials are still in active use or if any were protected with MFA.
PowerSchool said it couldn’t comment on passwords without seeing them. (TechCrunch has withheld credentials to protect the identity of the hacking engineer.) The company said that has “robust protocols in place for password security, including minimum length and complexity requirements, and passwords are rotated in alignment with NIST recommendations.” The company said after the breach, PowerSchool “performed a full password reset and tightened password and access control for all PowerSource customer support portal accounts,” referring to the customer care portal that has been breached.
PowerSchool said it uses single sign-on technology and MFA for employees and employers. The company said that contractors are provided laptops or access to its virtual desktop environment that have security controls, such as anti-malware and a VPN to connect to the company’s systems.
Questions remain about the PowerSchool data breach and its subsequent handling of the incident, as affected school districts continue to assess how many of their current and former students and staff had personal data stolen in the breach.
Staff at school districts affected by the PowerSchool breach tell TechCrunch they are relying on crowdsourcing efforts from other school districts and customers to help administrators search their PowerSchool log files for evidence of data theft.
At the time of publication, PowerSchool’s documentation on the breach cannot be accessed without a customer login for the company’s website.
Carly Page contributed to the report.
Contact Zack Whittaker securely on Signal and WhatsApp at +1 646-755-8849, and Carly Page can be reached securely on Signal at +44 1536 853968. You can also securely share documents with TechCrunch via SecureDrop.
