A cyberattack and data breach at U.S. edtech giant PowerSchool that was discovered December 28 threatens to expose the private data of tens of millions of school children and teachers. 

PowerSchool told customers the breach was linked to the compromise of a subcontractor’s account. TechCrunch learned this week of a separate security incident, involving a PowerSchool software engineer, whose computer was infected with malware that stole their company credentials prior to the cyberattack.

It’s unlikely the subcontractor mentioned by PowerSchool and the engineer identified by TechCrunch are the same person. The theft of the engineer’s credentials raises further doubts about the security practices at PowerSchool, which was acquired by private equity giant Bain Capital in a $5.6 billion deal last year.

PowerSchool has shared only a few details publicly about its cyberattack, as affected school districts begin notifying their students and teachers of the data breach. The company’s website says its school records software is used by 18,000 schools to support more than 60 million students across North America. 

In a communication shared with its customers last week and viewed by TechCrunch, PowerSchool confirmed the unnamed hackers stole “sensitive personal information” on students and teachers, including some students’ Social Security numbers, grades, demographics, and medical information. PowerSchool has not yet said how many customers are affected by the cyberattack, but several school districts hit by the breach have told TechCrunch their logs show the hackers stole “all” of their historical student and teacher data.

One person who works at an affected school district told TechCrunch they have evidence that highly sensitive information about students was exfiltrated in the breach. The person gave examples, such as information about parental access rights to their children, including restraining orders, and information about when certain students need to take their medications. Other people at affected school districts told TechCrunch that the stolen data will depend on what each individual school added to their PowerSchool systems.  

According to sources speaking with TechCrunch, PowerSchool told its customers that the hackers broke into the company’s systems using a single compromised maintenance account associated with a technical support subcontractor to PowerSchool. On its incident page that launched this week, PowerSchool said it identified the unauthorized access in one of its customer support portals.

PowerSchool spokesperson Beth Keebler confirmed to TechCrunch on Friday the subcontractor’s account used to breach the customer support portal was not protected with multi-factor authentication, a widely used security feature that can help to protect accounts against hacks linked to password theft. PowerSchool said MFA has since been rolled out. 

PowerSchool is working with incident response firm CrowdStrike to investigate the breach and a report is expected to be released as early as Friday. When reached by email, CrowdStrike deferred comment to PowerSchool.

Keebler told TechCrunch that the company “cannot verify the accuracy” of our reporting. “CrowdStrike’s initial analysis and findings show no evidence of system-layer access associated with this incident nor any malware, virus or backdoor,” Keebler told TechCrunch. PowerSchool would not say if it had received the report from CrowdStrike, nor would it say if it planned to publicly release its findings.

PowerSchool said its review of exfiltrated data is ongoing and did not provide an estimate of the number of students and teachers whose data was affected.

According to a source with knowledge of cybercriminal operations, logs obtained from the computer of an engineer working for PowerSchool show that their device was hacked by the prolific LummaC2 infostealing malware prior to the cyberattack.

It’s unclear exactly when the malware was installed. The source said the passwords were stolen from the engineer’s computer in January 2024 or earlier. 

Infostealers have become an increasingly effective route for hackers breaking into companies, especially with the rise of remote and hybrid work, which often permits employees to use their personal devices to access work accounts. As Wired explains, this creates opportunities for infostealing malware to install on someone’s home computer, but still end up with credentials capable of corporate access because the employee was also logged in to their work systems. 

The cache of LummaC2 logs, seen by TechCrunch, include the engineer’s passwords, browsing history from two of their web browsers, and a file containing identifiable and technical information about the engineer’s computer. 

Some of the stolen credentials appear to be associated with PowerSchool’s internal systems.

The logs show that the malware extracted the engineer’s saved passwords and browsing histories from their Google Chrome and Microsoft Edge browsers. The malware then uploaded the cache of logs, including the engineer’s stolen credentials, to servers controlled by the malware’s operator. From there, the credentials were shared with a broader online community, including closed cybercrime-focused Telegram groups, where corporate account passwords and credentials are sold and traded among cybercriminals.

The malware logs contain the engineer’s passwords for PowerSchool’s source code repositories, its Slack messaging platform, its Jira instance for bug and issue tracking, and other internal systems. The engineer’s browsing history also shows they had broad access to PowerSchool’s account on Amazon Web Services, which included full access to the company’s AWS-hosted S3 cloud storage servers.

We are not naming the engineer as there is no evidence they did anything wrong. As we have noted before about breaches in similar circumstances, it is ultimately the responsibility of companies to implement defenses and enforce security policies that prevent intrusions caused by the theft of employee credentials.

When asked by TechCrunch, PowerSchool’s Keebler said the person whose compromised credentials were used to breach PowerSchool’s systems did not have access to AWS, and that PowerSchool’s internal systems — including Slack and AWS — are protected with MFA.

The engineer’s computer also stored several sets of credentials belonging to other PowerSchool employees, which TechCrunch has seen. The credentials appear to allow similar access to the company’s Slack, source code repositories, and other internal company systems. 

Of the dozens of PowerSchool credentials we’ve seen in the logs, many were short and basic in complexity, with some made up of only a few letters and numbers. Several of the account passwords used by PowerSchool matched credentials that had already been compromised in previous data breaches, according to Have I Been Pwned’s updating list of stolen passwords.

TechCrunch did not test the stolen usernames and passwords on any PowerSchool systems, as doing so would be unlawful. As such, it cannot be determined if any of the credentials are still in active use or if any were protected with MFA.

PowerSchool said it could not comment on the passwords without seeing them. (TechCrunch withheld the credentials to protect the hacked engineer’s identity.) The company said it has “robust protocols in place for password security, including minimum lengths and complexity requirements, and passwords are rotated in alignment with NIST recommendations.” The company said following the breach, PowerSchool has “conducted a full password reset and further tightened password and access control for all PowerSource customer support portal accounts,” referring to the customer support portal that was breached.

PowerSchool said it uses single sign-on technology and MFA for both employees and contractors. The company said contractors are provided laptops or access to its virtual desktop environment that have security controls, such as anti-malware and a VPN for connecting to the company’s systems.

Questions remain about PowerSchool’s data breach and its subsequent handling of the incident, as affected school districts continue to assess how many of their current and former students and staff had personal data stolen in the breach.

Staff at school districts affected by the PowerSchool breach tell TechCrunch they are relying on crowdsourced efforts from other school districts and customers to help administrators search their PowerSchool log files for evidence of data theft. 

At the time of publication, PowerSchool’s documentation on the breach cannot be accessed without a customer login for the company’s website.

Carly Page contributed reporting.

Contact Zack Whittaker securely on Signal and WhatsApp at +1 646-755-8849, and Carly Page can be contacted securely on Signal at +44 1536 853968. You can also share documents securely with TechCrunch via SecureDrop.