A massive cyberattack on U.S. edtech giant PowerSchool has exposed the private data of tens of millions of school children and teachers, with hackers stealing sensitive information including Social Security numbers, grades, demographics, and medical records. The breach, discovered on December 28, has sparked widespread concern among affected school districts, which are only now beginning to notify their students and teachers of the data breach.

PowerSchool, which was acquired by private equity giant Bain Capital in a $5.6 billion deal last year, has shared only limited details about the cyberattack. However, TechCrunch has learned that the breach was linked to the compromise of a subcontractor's account, which was used to break into the company's systems. Additionally, a separate security incident involving a PowerSchool software engineer, whose computer was infected with malware that stole their company credentials prior to the cyberattack, has raised further doubts about the security practices at PowerSchool.

The stolen data includes sensitive personal information on students and teachers, with some school districts reporting that the hackers stole "all" of their historical student and teacher data. One person who works at an affected school district told TechCrunch that they have evidence that highly sensitive information about students was exfiltrated in the breach, including information about parental access rights to their children, including restraining orders, and information about when certain students need to take their medications.

PowerSchool has confirmed that the hackers broke into the company's systems using a single compromised maintenance account associated with a technical support subcontractor to PowerSchool. The account was not protected with multi-factor authentication (MFA), a widely used security feature that can help protect accounts against hacks linked to password theft. PowerSchool has since rolled out MFA, but the incident has raised questions about the company's security practices.

The cyberattack has also highlighted the risks associated with infostealing malware, which has become an increasingly effective route for hackers breaking into companies. In this case, the malware, known as LummaC2, was installed on the computer of a PowerSchool engineer, who had access to the company's internal systems, including its source code repositories, Slack messaging platform, and Amazon Web Services (AWS) account. The malware extracted the engineer's saved passwords and browsing histories from their Google Chrome and Microsoft Edge browsers, which were then uploaded to servers controlled by the malware's operator.

The stolen credentials were shared with a broader online community, including closed cybercrime-focused Telegram groups, where corporate account passwords and credentials are sold and traded among cybercriminals. PowerSchool has said that the person whose compromised credentials were used to breach the company's systems did not have access to AWS, and that the company's internal systems, including Slack and AWS, are protected with MFA.

However, TechCrunch has seen dozens of PowerSchool credentials in the logs, many of which were short and basic in complexity, with some made up of only a few letters and numbers. Several of the account passwords used by PowerSchool matched credentials that had already been compromised in previous data breaches. PowerSchool has said that it has "robust protocols in place for password security, including minimum lengths and complexity requirements, and passwords are rotated in alignment with NIST recommendations."

The company has also conducted a full password reset and further tightened password and access control for all PowerSource customer support portal accounts. However, questions remain about PowerSchool's data breach and its subsequent handling of the incident, as affected school districts continue to assess how many of their current and former students and staff had personal data stolen in the breach.

Staff at school districts affected by the PowerSchool breach are relying on crowdsourced efforts from other school districts and customers to help administrators search their PowerSchool log files for evidence of data theft. At the time of publication, PowerSchool's documentation on the breach cannot be accessed without a customer login for the company's website.

The incident serves as a stark reminder of the importance of robust security practices, including the use of MFA and regular password rotation, to protect sensitive data. As the investigation into the breach continues, affected school districts and customers will be watching closely to see how PowerSchool responds to this major security incident.