A new forensic investigation has revealed that PowerSchool, a major provider of education software, was compromised months before it publicly acknowledged a data breach in December 2024. The report, conducted by cybersecurity firm CrowdStrike, shows that attackers had gained access to PowerSchool’s systems as early as August 16, 2024—using the same credentials that would later be involved in the December breach.
Initially, PowerSchool disclosed that unauthorized access occurred between December 19 and December 28, 2024. However, CrowdStrike’s findings indicate the breach timeline stretches back at least four months earlier. The compromised credentials were not rotated or revoked after the initial intrusion, allowing threat actors to exploit them again later in the year.
This lapse in security has had massive consequences. While PowerSchool has not confirmed the total number of individuals affected, sources familiar with the matter estimate the breach may have exposed the personal data of up to 72 million students, teachers, and school staff members across thousands of institutions. The data includes sensitive information such as names, home addresses, Social Security numbers, medical records, and academic records.
According to CrowdStrike’s report, attackers accessed PowerSchool’s PowerSource customer support portal and used an internal maintenance tool to reach connected school databases. Although PowerSchool’s system logs did not retain enough historical data to confirm whether the attackers accessed student data back in August or September, CrowdStrike stated that failing to disable the compromised credentials enabled the December breach to occur.
CrowdStrike’s investigation could not definitively link the August and December intrusions to the same attackers due to insufficient logging data. However, the use of identical login credentials in both incidents suggests a significant oversight in PowerSchool’s internal security practices. The report underscores that updating or deactivating the exposed credentials after the first intrusion might have prevented the second.
TechCrunch first reported on CrowdStrike’s findings, which have since fueled broader questions about PowerSchool’s transparency and response to the breach. The company has not confirmed whether it had any awareness of the August compromise before CrowdStrike’s discovery. This lack of disclosure has raised concerns about how the company handles cybersecurity incidents and whether it meets basic standards of accountability.
To date, there has been no confirmed evidence that the stolen data has been leaked publicly. PowerSchool stated in an FAQ that it paid a ransom to prevent the data from being exposed on the dark web. According to the company, the attackers provided a video as proof that the data was deleted. As of February 28, 2025, dark web monitoring has not revealed any signs of the stolen information being published or sold.
Even so, cybersecurity experts are warning that the absence of leaked data does not guarantee long-term safety. Threat actors are known to delay public leaks or sell data in private forums long after a breach has occurred. In this case, the scale of the breach — impacting more than 6,500 school districts across the United States, Canada, and other countries — makes the risk particularly high.
PowerSchool’s failure to implement basic security protocols, such as revoking compromised credentials, has drawn criticism from across the cybersecurity community. Experts argue that this incident serves as a prime example of how minor oversights can lead to major breaches, especially in sectors that handle highly sensitive personal data.
“This breach could have been contained months earlier,” said Olivia Hart, a cybersecurity consultant with expertise in education technology. “Failing to address known vulnerabilities is an open invitation for attackers to come back. In this case, they did — and millions were affected.”
The company has yet to release a full public accounting of what data was accessed or the specific number of affected users. Meanwhile, school districts are scrambling to assess the potential impact on students and staff. Many are also reevaluating their reliance on centralized education platforms that house vast amounts of personal information.
As federal and state investigations continue, there are growing calls for more stringent regulations on companies providing digital services to schools. Educational institutions often lack the cybersecurity infrastructure to monitor vendors and depend on providers like PowerSchool to maintain high standards of data protection.
“The PowerSchool breach is a wake-up call for the education sector,” said Hart. “It’s time for school systems to demand greater transparency, stronger contractual obligations, and real-time breach notification policies from their software vendors.”
With the investigation still ongoing, and the long-term consequences yet to be fully understood, PowerSchool’s handling of the breach may have lasting effects on its reputation and its relationships with school districts around the world. For now, the focus remains on securing systems, supporting those affected, and preventing similar breaches in the future.