The malware stole internal PowerSchool passwords from the hacked engineer’s computer

A A cyber attack and data breach at the American educational technology giant PowerSchool Which was discovered on December 28, threatens to expose the private data of tens of millions of school children and teachers.

PowerSchool told customers the breach was related to a subcontractor’s account being compromised. TechCrunch learned this week of a separate security incident, involving a PowerSchool software engineer, whose computer was infected with malware that stole company credentials prior to the cyberattack.

It is unlikely that the subcontractor mentioned by PowerSchool and the engineer identified by TechCrunch are the same person. The theft of the engineer’s credentials raises further doubts about security practices at PowerSchool, which has been acquired by private equity giant Bain Capital. In a deal worth $5.6 billion last year.

PowerSchool has shared few details publicly about its cyberattack, as affected school districts have begun notifying their students and teachers of the data breach. The company’s website says its school records software is used by 18,000 schools to support more than 60 million students across North America.

in A communication shared with his clients last week Seen by TechCrunch, PowerSchool confirmed that the unnamed hackers stole “sensitive personal information” about students and teachers, including some students’ Social Security numbers, grades, demographics, and medical information. PowerSchool has not yet said how many customers were affected by the cyberattack, but several school districts that were compromised told TechCrunch that their records show Hackers stole “all” of their students’ and teachers’ historical data.

One person who works in an affected school district told TechCrunch that they have evidence that highly sensitive information about students was leaked in the hack. The person gave examples, such as information about parents’ access rights to their children, including restraining orders, and information about when some students need to take their medications. Other people in the affected school districts told TechCrunch that the data stolen will depend on what individual schools add to their PowerSchool systems.

According to sources who spoke with TechCrunch, PowerSchool told its customers that hackers broke into the company’s systems using a single compromised maintenance account linked to a PowerSchool technical support subcontractor. attic Incident page PowerSchool, which launched this week, said it had identified the unauthorized access in one of its customer support portals.

PowerSchool spokesperson Beth Keebler confirmed to TechCrunch on Friday that the subcontractor’s account used to hack a customer support portal was not protected with multi-factor authentication, a widely used security feature that can help protect accounts from hacks associated with password theft. MFA has since been rolled out, PowerSchool said.

PowerSchool is working with incident response company CrowdStrike to investigate the breach and is expected to release a report early Friday. When reached via email, CrowdStrike deferred comment to PowerSchool.

Kepler told TechCrunch that the company “cannot verify the accuracy” of our reporting. “CrowdStrike’s initial analysis and findings show no evidence of system layer access associated with this incident nor any malware, viruses, or backdoor,” Kibler told TechCrunch. PowerSchool did not say whether it received the report from CrowdStrike, nor would it say whether it plans to release its findings publicly.

PowerSchool said its review of the leaked data is ongoing and did not provide an estimate of the number of students and teachers whose data was affected.

PowerSchool passwords stolen by malware

According to a source familiar with cybercrime operations, logs obtained from the computer of an engineer working at PowerSchool show that their device was compromised by the prolific LummaC2 software. Malware to steal information Before the cyber attack.

It is unclear exactly when the malware was installed. The source said the passwords were stolen from the engineer’s computer in January 2024 or earlier.

Information theft has become an increasingly effective way for hackers to break into companies, especially with the rise of remote and hybrid work, which often allows employees to use their personal devices to access work accounts. As Wired explainsThis creates opportunities for information-stealing malware to install on someone’s home computer, but still ends up with credentials able to access the company because the employee is also logged into their work systems.

The LummaC2 log cache, viewed by TechCrunch, includes the engineer’s passwords, browsing history from two of their web browsers, and a file containing identifying and technical information about the engineer’s computer.

Some of the stolen credentials appear to be linked to internal PowerSchool systems.

Logs show that the malware extracted the engineer’s saved passwords and browsing histories from Google Chrome and Microsoft Edge browsers. The malware then uploaded a cache of logs, including the engineer’s stolen credentials, to servers controlled by the malware operator. From there, the credentials were shared with a wider online community, including closed Telegram groups focused on cybercrime, where company account passwords and credentials are sold and traded among cybercriminals.

The malware logs contained engineer passwords for PowerSchool’s source code repositories, messaging platform Slack, its Jira instance for tracking bugs and issues, and other internal systems. The engineer’s browsing history also shows they have broad access to their PowerSchool account on Amazon Web Services, which includes full access to the company’s AWS-hosted S3 cloud storage servers.

We do not mention the engineer’s name, because there is no evidence that they did anything wrong. like We have previously noted violations in similar circumstancesit is ultimately the responsibility of companies to implement defenses and enforce security policies that prevent intrusions resulting from the theft of employee credentials.

When asked by TechCrunch, PowerSchool’s Keebler said that the person whose compromised credentials were used to compromise PowerSchool’s systems did not have access to AWS and that PowerSchool’s internal systems — including Slack and AWS — were protected by MFA.

The engineer’s computer also stored several sets of credentials belonging to other PowerSchool employees, which TechCrunch saw. The credentials appear to allow similar access to the company’s Slack, source code repositories, and other internal company systems.

Of the dozens of PowerSchool credentials we saw in the logs, many were short and basic in complexity, and some consisted of only a few letters and numbers. Many of the account passwords used by PowerSchool matched credentials that had already been compromised in previous data breaches, according to the Have I Been Pwned report. Update the list of stolen passwords.

TechCrunch has not tested the stolen usernames and passwords on any PowerSchool systems, because doing so would be illegal. As such, it is not possible to determine whether any of the credentials are still in active use or whether any of them are protected by MFA.

PowerSchool said it could not comment on passwords without seeing them. (TechCrunch withheld credentials to protect the identity of the hacked engineer.) The company said so It has “strong protocols in place for password security, including minimum lengths and complexity requirements, and passwords are rotated in line with NIST recommendations.” After the hack, PowerSchool “conducted a full password reset and further tightened password and access control for all PowerSource customer support portal accounts,” the company said, referring to the customer support portal that was hacked.

PowerSchool said it uses single sign-on technology and MFA for both employees and contractors. Contractors are provided with laptops or access to its virtual desktop environment that contains security controls, such as anti-malware and a VPN to connect to company systems, the company said.

Questions remain about the PowerSchool data breach and its subsequent handling of the incident, as affected school districts continue to evaluate the number of current and former students and staff whose personal data was stolen in the breach.

Employees at school districts affected by the PowerSchool breach told TechCrunch that they are relying on crowdsourcing efforts from other school districts and customers to help administrators search their PowerSchool log files for evidence of data theft.

At press time, PowerSchool’s documentation of the breach could not be accessed without the customer logging into the company’s website.

Carly Page contributed reporting.

Contact Zack Whittaker securely on Signal and WhatsApp at +1 646-755-8849, and Carly Page can be contacted securely on Signal at +44 1536 853968. You can also share documents securely with TechCrunch via SecureDrop.