PowerSchool has printed a long-awaited CrowdStrike investigation into its large December 2024 knowledge breach, which decided that the corporate was beforehand hacked over 4 months earlier, in August, after which once more in September.
PowerSchool is a cloud-based Ok-12 software program supplier serving over 60 million college students and 18,000 prospects worldwide, providing enrollment, communication, attendance, workers administration, studying, analytics, and finance options.
In December, the corporate introduced that hackers had gained unauthorized entry to its buyer help portal, named PowerSource. This portal included a distant upkeep software that allowed the risk actor to connect with prospects’ databases and steal delicate data, together with full names, bodily addresses, contact data, Social Safety numbers (SSNs), medical knowledge, and grades.
Though the corporate has not formally disclosed the variety of individuals impacted by this incident, BleepingComputer first reported that the risk actor claimed to have stolen the info of 72 million individuals, together with college students and academics.
Older breach uncovered
In an replace printed late final week, PowerSchool shared a CrowdStrike incident report that was compiled on February 28, 2025.
In that report, CrowdStrike confirms that the risk actors breached PowerSchool by means of PowerSource utilizing compromised credentials and maintained their entry between December 19, 2024, 19:43:14 UTC, and December 28, 2024, 06:31:18 UTC.
The cybersecurity agency additionally confirmed that the risk actor exfiltrated academics’ and college students’ knowledge from the compromised programs, although it notes there is not any proof that different databases have been stolen.
Equally, there is not any proof that malware was planted on PowerSchool programs or that the risk actor escalated their privilege, moved laterally, or downstream to buyer/faculty programs.
CrowdStrike famous that, as of January 2, 2025, its darkish net intelligence confirmed that the risk actors stored their promise to not publish knowledge after an extortion demand was paid, because the cybersecurity agency has not discovered the info supplied on the market or leaked on-line.
CrowdStrike additionally discovered that risk actors breached PowerSource even sooner than December, with the identical compromised credentials used months earlier, in August and September 2024.
Nevertheless, there’s not sufficient knowledge to verify if it was the identical risk actor behind the entire breaches.
“Starting on August 16, 2024, at 01:27:29 UTC, PowerSource logs confirmed that an unknown actor efficiently accessed the PowerSchool PowerSource portal utilizing the compromised help credentials,” explains CrowdStrike.
“CrowdStrike didn’t discover ample proof to attribute this exercise to the Menace Actor liable for the exercise in December 2024.”
“The obtainable SIS log knowledge didn’t return far sufficient to indicate whether or not the August and September exercise included unauthorized entry to PowerSchool SIS knowledge.”
Right now, PowerSchool has nonetheless not formally shared the whole variety of impacted colleges, college students, or academics, elevating considerations about transparency.
Nevertheless, sources instructed BleepingComputer that the breach impacted 6,505 faculty districts within the US, Canada, and different international locations, with 62,488,628 college students and 9,506,624 academics having their knowledge stolen.
BleepingComputer has contacted PowerSchool to ask for extra particulars relating to the most recent findings, and we’ll replace this submit if we hear again.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and learn how to defend in opposition to them.