Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
A Cyber attack and data breach at US edtech giant PowerSchool It was discovered on December 28 that threatened to expose the personal information of millions of schoolchildren and teachers.
PowerSchool told customers that the breach was linked to the compromise of a subcontractor’s account. TechCrunch learned of a separate security incident this week, involving a PowerSchool software engineer, whose computer was infected with malware that stole their company credentials prior to the cyber attack.
It is unlikely that the subcontractor mentioned by PowerSchool and the engineer identified by TechCrunch are the same person. The theft of the engineer’s credentials raises further doubts about the security practices of the power school, which was acquired by private equity giant Bain Capital. $5.6 billion in deals last year.
PowerSchool has publicly shared few details about its cyberattack, as affected school districts begin notifying their students and teachers about the data breach. The company’s website says its school records software is used by 18,000 schools across North America to support more than 60 million students.
in A communication shared with its customers last week And seen by TechCrunch , PowerSchool confirmed that unnamed hackers stole “sensitive personal information” of students and teachers, including some students’ Social Security numbers, grades, demographics and medical information. PowerSchool has yet to say how many customers were affected by the cyber attack, but several school districts affected by the breach told TechCrunch their logs show Hackers stole “all” of their historical student and teacher data.
A person who works at one of the affected school districts told TechCrunch that they have evidence that highly sensitive information about students was expelled for the breach. Individuals gave examples, such as information about parental access rights to their children, including restraining orders, and information about when certain students must take their medication. Other people at affected school districts told TechCrunch that the stolen data would depend on what each school added to their PowerSchool systems.
According to sources who spoke to TechCrunch, PowerSchool told its customers that hackers accessed the company’s systems using a single compromised maintenance account linked to a technical support subcontractor of PowerSchool. on it Events page Launched this week, PowerSchool said it had identified unauthorized access to one of its customer support portals.
PowerSchool spokeswoman Beth Kibler confirmed to TechCrunch on Friday that the subcontractor’s account used to breach the customer support portal was not secured with multi-factor authentication, a widely used security feature that can help protect accounts against hacks linked to password theft. PowerSchool said the MFA has since been introduced.
Power School is working with incident response agency CrowdStrike to investigate the breach and is expected to release a report by Friday. When reached by email, CrowdStrike deferred comment to PowerSchool.
Keebler told TechCrunch that the company “cannot verify the accuracy” of its reporting. “CrowdStrike’s initial analysis and findings show no evidence of system-layer access or any malware, viruses or backdoors associated with this incident,” Keebler told TechCrunch. PowerSchool would not say whether it received the report from CrowdStrike, nor would it say whether it plans to publicly release its findings.
PowerSchool said its review of the exposed data is ongoing and did not provide an estimate of the number of students and teachers whose data was affected.
PowerSchool password stolen by malware
According to a source with knowledge of the cybercriminal operation, logs obtained from the computer of an engineer working at Powerschool showed that their device was hacked by the notorious LummaC2. Infostealing malware Before the cyber attack.
It’s unclear exactly when the malware was installed. The source said the passwords were stolen from the engineer’s computer on or before January 2024.
Infostealers have become an increasingly effective route for hackers to enter companies, especially with the rise of remote and hybrid work, which often allows employees to use their personal devices to access work accounts. Wired explainsThis creates the opportunity to install infostealing malware on someone’s home computer but still end up with credentials capable of corporate access because the employee was also logged into their work system.
The cache of LummaC2 logs, seen by TechCrunch, includes the engineer’s password, browsing history from two of their web browsers, and a file containing identifiable and technical information about the engineer’s computer.
Some of the stolen credentials appear to be linked to PowerSchool’s internal systems.
Logs show that the malware extracted engineers’ saved passwords and browsing history from their Google Chrome and Microsoft Edge browsers. The malware then uploads a cache of logs with the engineer’s stolen credentials to servers controlled by the malware’s operator. From there, the credentials were shared with a larger online community, including closed cybercrime-focused Telegram groups, where corporate account passwords and credentials are sold and traded among cybercriminals.
Malware logs contain engineer passwords for PowerSchool’s source code repository, its Slack messaging platform, Jira instances for bug and issue tracking, and other internal systems. The engineers’ browsing history also showed they had extensive access to PowerSchool’s account on Amazon Web Services, including full access to the company’s AWS-hosted S3 cloud storage servers.
We are not naming the engineers, as there is no evidence that they did anything wrong. as We have mentioned earlier about violations in similar situationsIt is ultimately the company’s responsibility to implement defenses and enforce security policies that prevent intrusions due to employee identity theft.
Asked by TechCrunch, PowerSchool’s Keebler said the person whose compromised credentials were used to breach PowerSchool’s systems did not have access to AWS and that PowerSchool’s internal systems — Slack and AWS — are protected by MFA.
Several sets of credentials from other PowerSchool employees were also stored on the engineer’s computer, which TechCrunch saw. The credentials appear to allow similar access to the company’s Slack, source code repositories, and other internal company systems.
Of the dozens of PowerSchool credentials we saw in the logs, many were short and basic in complexity, some consisting of just a few letters and numbers. According to Have I Been Pwned, several accounts used by PowerSchool matched passwords that had already been compromised in previous data breaches. Updating the list of stolen passwords.
TechCrunch has not tested stolen usernames and passwords on any PowerSchool systems, as it would be illegal to do so. As such, it cannot be determined whether a certificate is still in active use or protected with MFA.
PowerSchool said it could not comment without seeing the passwords. (TechCrunch has withheld the identity of the hacked engineer to protect his identity.) The company said There are strong protocols for password protection with minimum length and complexity requirements, and passwords are rotated in alignment with NIST recommendations. The company said that following the breach, PowerSchool “conducted a full password reset and tightened password and access controls for all PowerSource customer support portal accounts,” noting that the customer support portal was breached.
PowerSchool says it uses single sign-on technology and MFA for both employees and contractors. The company said contractors are given access to laptops or its virtual desktop environment with security controls, such as anti-malware and a VPN to connect to company systems.
Questions remain about PowerSchool’s handling of the data breach and its aftermath, as affected school districts continue to assess how many of their current and former students and staff had personal data stolen in the breach.
Staff at school districts affected by the PowerSchool breach told TechCrunch that they are relying on crowdsourced efforts from other school districts and customers to help administrators search their PowerSchool log files for evidence of data theft.
At the time of publication, PowerSchool’s documentation regarding the breach could not be accessed without a customer login for the company’s website.
Carly Page contributed reporting.
Jack Whittaker can be reached at Signal Safely and on WhatsApp at +1 646-755-8849 and Carly Page can be reached at Signal Safely at +44 1536 853968. You can also share documents securely through TechCrunch SecureDrop.
