A cyber attack and data breach at US tech giant PowerSchool discovered on December 28 threatens to expose the personal data of tens of millions of students and teachers.
PowerSchool told customers that the breach was linked to the breach of a subcontractor’s account. TechCrunch learned this week of a separate security incident involving a PowerSchool software engineer whose computer was infected with malware that stole their company credentials prior to the cyberattack.
It is unlikely that the subcontractor listed by PowerSchool and the engineer identified by TechCrunch are the same person. The theft of the engineer’s credentials raises further doubts about security practices at PowerSchool, which was acquired by private equity giant Bain Capital in a $5.6 billion deal last year.
PowerSchool has only released a few details publicly about its cyberattack as affected school districts begin to notify their students and teachers about the data breach. The company’s website says its school records software is used by 18,000 schools to support more than 60 million students across North America.
In a communication shared with its customers last week and seen by TechCrunch, PowerSchool confirmed that unnamed hackers stole “sensitive personal information” of students and teachers, including Social Security numbers, grades, demographics and medical information of certain students. PowerSchool has not yet said how many customers are affected by the cyberattack, but several school districts affected by the breach told TechCrunch that their logs show that the hackers stole “all” of historical student and teacher data.
A person who works at an affected school district told TechCrunch that they have evidence that highly sensitive information about students was infiltrated in the breach. The individual gave examples such as information about parental access rights to their children, including restraining orders, and information about when certain students should take their medication. Other people at the affected school districts told TechCrunch that the stolen data would depend on what each school added to their PowerSchool systems.
According to sources speaking to TechCrunch, PowerSchool told its customers that hackers broke into the company’s systems using a single compromised maintenance account associated with a PowerSchool technical support subcontractor. On him incident page released this week, PowerSchool said it detected the unauthorized access to one of its customer support portals.
PowerSchool spokeswoman Beth Keebler confirmed to TechCrunch on Friday that the subcontractor account used to breach the customer support portal was not protected by multi-factor authentication, a widely used security feature that can help protect accounts from hacks that connect with password theft. PowerSchool said the MFA has since grown.
PowerSchool is working with incident response firm CrowdStrike to investigate the breach, and a report is expected to be released Friday. When reached by email, CrowdStrike deferred comment to PowerSchool.
Keebler told TechCrunch that the company “cannot verify the accuracy” of our reports. “CrowdStrike’s initial analysis and findings do not indicate any system-level access related to this incident or any malware, virus or backdoor,” Keebler told TechCrunch. PowerSchool did not say whether it had received the report from CrowdStrike, nor would it say whether it planned to make its findings public.
PowerSchool said its review of the breached data is ongoing and did not provide an estimate of the number of students and teachers whose data was affected.
PowerSchool passwords stolen by malware
According to a source with knowledge of the cyber actions, logs taken from the computer of an engineer working for PowerSchool show that their device was compromised by the prolific LummaC2 malware prior to the cyberattack.
It is not clear exactly when the malware was installed. The source said the passwords were stolen from the engineer’s computer in January 2024 or earlier.
Infostealers have become an increasingly effective avenue for hackers to break into companies, especially with the rise of remote and hybrid working, which often allows employees to use their personal devices to access work accounts. As Wired explainsthis creates opportunities for information-stealing malware to install on someone’s home computer, but still end up with corporate-accessible credentials because the employee was also logged into their work systems.
The cache of LummaC2 logs, seen by TechCrunch, includes the engineer’s passwords, browsing history from two of their web browsers, and a file containing identifiable and technical information about the engineer’s computer.
Some of the stolen credentials appear to be related to PowerSchool’s internal systems.
The logs show that the malware extracted the engineer’s saved passwords and browsing histories from Google Chrome and Microsoft Edge browsers. The malware then uploaded the cache of logs, including the stolen engineer’s credentials, to servers controlled by the malware’s operator. From there, the credentials were shared with a wider online community, including closed cybercrime-focused Telegram groups where corporate account passwords and credentials are sold and traded among cybercriminals.
The malware logs contain the engineer’s passwords to the PowerSchool source code repositories, the Slack messaging platform, the Jira instance for bug and issue tracking, and other internal systems. The engineer’s browsing history also shows they had broad access to PowerSchool’s Amazon Web Services account, which included full access to the company’s S3 cloud storage servers hosted by AWS.
We are not naming the engineer as there is no evidence that they did anything wrong. As we have previously noted regarding breaches in similar circumstances, it is ultimately the responsibility of companies to implement defensive measures and enforce security policies that prevent intrusions caused by theft of employee credentials.
When asked by TechCrunch, PowerSchool’s Keebler said that the person whose compromised credentials were used to breach PowerSchool’s systems did not have access to AWS, and that PowerSchool’s internal systems — including Slack and AWS — are protected by MFA.
The engineer’s computer also stored multiple sets of credentials belonging to other PowerSchool employees, which TechCrunch has seen. The credentials appear to allow similar access to the company’s Slack, source code repositories, and other internal company systems.
Of the dozens of PowerSchool credentials we’ve seen in the logs, many were short and basic in complexity, with some consisting of just a few letters and numbers. Many of the account passwords used by PowerSchool matched credentials that had already been compromised in previous data breaches, according to Have I Been Pwned update list of stolen passwords.
TechCrunch did not review the stolen usernames and passwords on any PowerSchool systems, as doing so would be illegal. Therefore, it cannot be determined if any of the credentials are still in active use or if any are protected by MFA.
PowerSchool said it could not comment on the passwords without seeing them. (TechCrunch has withheld the credentials to protect the identity of the hacked engineer.) The company said has “strong protocols for password security, including minimum length and complexity requirements, and passwords are rotated according to NIST recommendations.” The company said that after the breach, PowerSchool “conducted a full password reset and further improved password and access control for all PowerSource Customer Support Portal accounts,” referring to the customer support portal that was breached.
PowerSchool said it uses single sign-on and MFA technology for both employees and contractors. The company said contractors are provided with laptops or access to the virtual desktop environment that have security controls such as anti-malware and VPNs to connect to company systems.
Questions remain about the PowerSchool data breach and subsequent handling of the incident, as affected school districts continue to assess how many of their current and former students and staff had personal data stolen during the breach.
Staff at school districts affected by the PowerSchool breach tell TechCrunch they are relying on efforts from other school districts and pooled customers to help administrators search PowerSchool logs for evidence of data theft.
At the time of publication, PowerSchool’s documentation on hacking without a client login is not accessible for the company’s website.
Carly Page contributed reporting.
Contact Zack Whittaker securely on Signal and WhatsApp at +1 646-755-8849 and you can reach Carly Page securely on Signal at +44 1536 853968. You can also share documents securely with TechCrunch via SecureDrop.
