PowerSchool has published a long-awaited CrowdStrike investigation into its massive December 2024 data breach, which determined that the company was previously hacked over 4 months earlier, in August, and then again in September.
PowerSchool is a cloud-based K-12 software provider serving over 60 million students and 18,000 customers worldwide, offering enrollment, communication, attendance, staff management, learning, analytics, and finance solutions.
In December, the company announced that hackers had gained unauthorized access to its customer support portal, named PowerSource. This portal included a remote maintenance tool that allowed the threat actor to connect to customers’ databases and steal sensitive information, including full names, physical addresses, contact information, Social Security numbers (SSNs), medical data, and grades.
Although the company has not officially disclosed the number of people impacted by this incident, BleepingComputer first reported that the threat actor claimed to have stolen the data of 72 million people, including students and teachers.
Older breach uncovered
In an update published late last week, PowerSchool shared a CrowdStrike incident report that was compiled on February 28, 2025.
In that report, CrowdStrike confirms that the threat actors breached PowerSchool through PowerSource using compromised credentials and maintained their access between December 19, 2024, 19:43:14 UTC, and December 28, 2024, 06:31:18 UTC.
The cybersecurity firm also confirmed that the threat actor exfiltrated teachers’ and students’ data from the compromised systems, though it notes there’s no evidence that other databases were stolen.
Similarly, there’s no evidence that malware was planted on PowerSchool systems or that the threat actor escalated their privilege, moved laterally, or downstream to customer/school systems.
CrowdStrike noted that, as of January 2, 2025, its dark web intelligence showed that the threat actors kept their promise not to publish data after an extortion demand was paid, as the cybersecurity firm has not found the data offered for sale or leaked online.
CrowdStrike also found that threat actors breached PowerSource even earlier than December, with the same compromised credentials used months earlier, in August and September 2024.
However, there is not enough data to confirm if it was the same threat actor behind all of the breaches.
“Beginning on August 16, 2024, at 01:27:29 UTC, PowerSource logs showed that an unknown actor successfully accessed the PowerSchool PowerSource portal using the compromised support credentials,” explains CrowdStrike.
“CrowdStrike did not find sufficient evidence to attribute this activity to the Threat Actor responsible for the activity in December 2024.”
“The available SIS log data did not go back far enough to show whether the August and September activity included unauthorized access to PowerSchool SIS data.”
At this time, PowerSchool has still not officially shared the total number of impacted schools, students, or teachers, raising concerns about transparency.
However, sources told BleepingComputer that the breach impacted 6,505 school districts in the US, Canada, and other countries, with 62,488,628 students and 9,506,624 teachers having their data stolen.
BleepingComputer has contacted PowerSchool to ask for more details regarding the latest findings, and we will update this post if we hear back.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
