September 2024, a 19-year-old hacker named Matthew Lane broke into PowerSchool. PowerSchool is the software system thats used by almost every school in America. The system manages student records, grades, attendance, contact information, Social Security numbers.. everything.

Lane stole the records of 60 million students and 10 million educators. He moved the data to a server in Ukraine and waited three months before making contact. When he finally reached out to the company, his ransom demand was $2.85 million in Bitcoin. His message to PowerSchool was this: "We fully intend to destroy your company and bankrupt it to the point of no absolute return" if they didn't pay.

PowerSchool refused to pay the ransom and begain working with the authorities. The FBI moved in and quickly caught up with Lane. By the time they arrested him, roughly $3 million had already disappeared into cryptocurrency exchanges and digital wallets. Some of it had been converted to cash. Some was still sitting in accounts waiting to be claimed.

Federal prosecutors described Lane as being sophisticated and experienced. They connected him to another extortion case where her recieved $200,000 from a telecommunications company earlier that year. Lane lived a luxurious lifestyle with the money he stole. Designer clothes. Jewelry. Expensive Airbnbs rented for parties.

So how did he actually get in? Lane used stolen credentials that belonged to a PowerSchool contractor. Once he had those credentials, he could log in directly. No need to exploit a vulnerability. No need to find a zero-day. He just walked through the front door using someone else's key.

It's why the breach went undetected for over 100 days. From September when Lane first got access until December when he made his ransom demand, PowerSchool had no idea someone unauthorized was inside their network using legitimate credentials. He wasn't triggering alarms. He was just a contractor doing their job, except he wasn't a contractor at all.