In early June 2024, a hacker known as “Sp1d3r” listed a database for sale on the dark web, claiming it contained data from the Los Angeles Unified School District (LAUSD) stolen from their Snowflake account. Pricing the database at $150,000, Sp1d3r included sensitive information such as student names, addresses, family details, demographics, financial records, grades, performance scores, disability information, discipline records, and parent information. This breach exposed millions of students’ data, raising significant concerns about privacy and security.
Later LAUSD confirmed the authenticity of the breach. They revealed that the stolen data was maintained by one or more of their external vendors on Snowflake, a cloud-based data storage platform. Despite no evidence of compromised systems or networks, LAUSD emphasized their active cooperation with the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and other vendors to assess the breach’s full impact.
Meanwhile, another hacker group, “The Satanic Cloud,” led by “Satanic,” leaked similar data on various cybercrime platforms, including Breach Forums and Russian-speaking sites. This breach affected 26 million records with current and former student information, more than 24,000 teacher records, and around 500 containing staff information.
The leaked data included:
- Gender
- Ethnicity
- Zip Codes
- Current City
- Date of Birth
- ID Numbers
- School Names
- School Phone Numbers
- Phone Numbers
- Email Addresses
- Home Addresses
- Home Location Coordinates
- Immigration Status
- Parent/Guardian ID Numbers
- District Student ID Numbers
- Full Names (First, Middle, Last)
- City and Country of Birth
- Parents’ Details (Full Names, Phone Numbers, Home and Email Addresses)
For teachers and staff, the data included similar personal details along with employment status, seniority data, and education qualifications.
Investigations conducted by Snowflake, Mandiant, and CrowdStrike revealed that the attackers, tracked as UNC5537, exploited credential stuffing techniques on accounts lacking multi-factor authentication (MFA). Credential stuffing involves using stolen username and password combinations from other breaches to gain unauthorized access to accounts. This technique allowed the hackers to target at least 165 organizations, download vast amounts of data, and attempt extortion by threatening to sell or leak the data if ransoms were not paid.
Snowflake’s report, compiled with the help of Mandiant and CrowdStrike, confirmed that their infrastructure remained intact. The attackers broke into these accounts through brute force and credential stuffing, particularly targeting accounts without MFA. This breach not only affected LAUSD but also impacted other major companies, including Ticketmaster, Santander Bank, Advance Auto Parts, and Pure Storage.
The implications of these breaches are severe. Exposing such a vast amount of sensitive data can lead to identity theft, phishing scams, and other malicious activities. The data includes personal information that can be exploited in numerous ways, putting individuals at significant risk. For students, the exposure of their personal contact and location details is particularly alarming, as they are among the most vulnerable members of society.
Parents, teachers, staff, and students should remain aware against unsolicited emails, texts, and phone calls that could be attempts to steal additional information such as passwords. It is crucial to monitor for any signs of identity theft, fake social media profiles, or other malicious activities.
The LAUSD breach serves as a stark reminder of the importance of robust cybersecurity practices and the far-reaching consequences of data breaches. As cyber threats continue to evolve, organizations must stay ahead of potential risks and protect the personal information of those they serve.