The US education technology giant PowerSchool suffered a cyber attack and data breach discovered on December 28, and the private data of tens of millions of school children and teachers may have been exposed.
PowerSchool told customers the breach was related to the compromise of a subcontractor's account. TechCrunch learned of another security incident this week involving a PowerSchool software engineer whose computer was infected with malware that stole their company credentials before a cyber attack.
It is unlikely that the subcontractor mentioned by PowerSchool and the engineer mentioned by TechCrunch are the same person. The theft of engineer credentials raises further doubts about PowerSchool's security practices. PowerSchool was acquired by private equity giant Bain Capital last year for $5.6 billion.
PowerSchool has publicly shared only a few details about its cyberattack, and affected school districts have begun notifying students and teachers of the data breach. The company's website says its school records software is used by 18,000 schools, supporting more than 60 million students in North America.
In communications shared with customers last week and seen by TechCrunch, PowerSchool confirmed that unnamed hackers stole "sensitive personal information" from students and teachers, including some students' Social Security numbers, grades, demographic and medical information. PowerSchool has not disclosed how many customers were affected by the cyberattack, but several school districts affected by the attack told TechCrunch that their logs showed hackers stole "all" of their historical student and teacher data.
A person who works for the affected school district told TechCrunch they have evidence that highly sensitive information about students was exposed in the breach. The person gave examples such as information about parents' rights to visit their children, including restraining orders, and information about when certain students need to take medication. Others at affected school districts told TechCrunch that the data stolen will depend on what each school adds to its PowerSchool system.
PowerSchool told its customers that hackers broke into the company's systems using a single compromised maintenance account associated with PowerSchool's technical support subcontractor, according to sources who spoke to TechCrunch. PowerSchool said on an incident page launched this week that it discovered unauthorized access in one of its customer support portals.
PowerSchool spokesperson Beth Keebler confirmed to TechCrunch on Friday that the subcontractor account used to compromise the customer support portal was not protected by multi-factor authentication, a widely used security feature that helps protect accounts from being linked to Password theft related hacking attacks. PowerSchool says MFA is now available.
PowerSchool is working with incident response firm CrowdStrike to investigate the breach and is expected to release a report as early as Friday. CrowdStrike deferred comment to PowerSchool when contacted via email.
Keebler told TechCrunch that the company "cannot verify" the accuracy of our reporting. "CrowdStrike's preliminary analysis and findings indicate that there is no evidence of system-level access related to this incident, nor any malware, viruses, or backdoors," Keebler told TechCrunch. PowerSchool did not disclose whether it had received CrowdStrike's report or whether it planned to publicly release its findings.
PowerSchool said its review of the leaked data is ongoing but did not provide an estimate of the number of students and teachers whose data was affected.
Logs obtained from the computer of a PowerSchool engineer show that their device was compromised by the prolific LummaC2 information-stealing malware prior to the cyberattack, according to sources with knowledge of cybercrime activity.
It's unclear exactly when the malware was installed. Sources said the passwords were stolen from engineers' computers in January 2024 or earlier.
Information stealers have become an increasingly effective way for hackers to break into companies, especially with the rise of remote and hybrid working, which often allow employees to use personal devices to access work accounts. As Wired explains, this creates an opportunity for information-stealing malware to be installed on someone's home computer, but still end up gaining the credentials to gain corporate access because the employee is also logged into their work system.
The cache of LummaC2 logs seen by TechCrunch included the engineer's password, browsing history from two web browsers, and a file containing identifiable and technical information about the engineer's computer.
Some of the stolen credentials appear to be related to PowerSchool's internal systems.
Logs show the malware extracted the engineer's saved passwords and browsing history from his Google Chrome and Microsoft Edge browsers. The malware then uploaded a cache of logs, including the engineer's stolen credentials, to a server controlled by the malware operator. From there, the credentials are shared with the wider online community, including closed Telegram groups focused on cybercrime, where company account passwords and credentials are sold and traded among cybercriminals.
The malware logs contain passwords for the engineer's PowerSchool source code repository, the Slack messaging platform, Jira instances used for bug and issue tracking, and other internal systems. The engineer's browsing history also showed they had broad access to PowerSchool's account on Amazon Web Services, including full access to the company's AWS-hosted S3 cloud storage server.
We are not naming the engineer because there is no evidence they did anything wrong. As we've mentioned before with breaches in similar situations, it's ultimately the company's responsibility to implement defenses and enforce security policies to prevent intrusions resulting from stolen employee credentials.
When asked by TechCrunch, PowerSchool's Keebler said the person whose stolen credentials were used to compromise PowerSchool's systems was unable to access AWS, and that PowerSchool's internal systems, including Slack and AWS, are protected by MFA.
TechCrunch has seen that the engineer's computer also stored multiple sets of credentials belonging to other PowerSchool employees. The credentials appear to allow similar access to the company's Slack, source code repositories and other internal company systems.
Of the dozens of PowerSchool credentials we saw in the logs, many were short and largely complex, with some consisting of just a few letters and numbers. According to Have I Been Pwned's updated list of stolen passwords, multiple account passwords used by PowerSchool match credentials that have been compromised in previous data breaches.
TechCrunch did not test the stolen usernames and passwords on any PowerSchool systems because doing so is illegal. Therefore, it cannot be determined whether any credentials are still in use or whether any credentials are protected by MFA.
PowerSchool said it could not comment on the passwords without seeing them. (TechCrunch retained those credentials to protect the identities of the engineers who were hacked.) The company said Having "strong password security protocols in place, including minimum length and complexity requirements, and password rotation consistent with NIST recommendations." The company said that after the breach, PowerSchool had "implemented a comprehensive password enforcement of all PowerSource Customer Support Portal accounts." reset and further tightened password and access controls," referring to the breached customer support portal.
PowerSchool says it uses single sign-on technology and MFA for employees and contractors. The company said contractors can use laptops or access virtual desktop environments with security controls, such as anti-malware software and VPNs to connect to company systems.
Questions remain about the PowerSchool data breach and its subsequent handling of the incident, as the affected school districts are still assessing how many current and former students and staff members' personal data was stolen in the breach.
School district staff affected by the PowerSchool breach told TechCrunch they are relying on crowdsourcing efforts from other districts and customers to help administrators search PowerSchool log files for evidence of data theft.
As of publication, customers unable to access PowerSchool's documentation regarding the breach if they are not logged into the company's website.
Carly Page contributed reporting.
Contact Zack Whittaker securely via Signal and WhatsApp (+1 646-755-8849) and Carly Page securely via Signal (+44 1536 853968). You can also securely share documents with TechCrunch via SecureDrop.