Security Advisory - breachforums.vc

July 12, 2023
Back to Blog

This incident is NOT related to ClassLink.

Beginning July 5, 2023 ClassLink has been monitoring and assisting schools investigate posts of directory data (Posted Directory Data) made on https://breachforums.vc/ by a threat actor named “FentanylTroia”.

[UPDATED ON 7/13] Collectively, the posts now impact 223+ organizations, nearly all of which are K12 or Higher Ed orgs, and the directory data for 4.5+ million people (for nearly all the institutions, only name and emails were posted, thus the description ‘directory data’… most in the industry do not consider name and email to be ‘Personally Identifiable Information’ (PII)).

What We Know

  • About the breachforums.vc platform
  • About the Posted Directory Data
    • The fields in the Posted Directory Data include {Name, Email, Phone, Job}. However, ‘Phone’ and ‘Job’ are mostly blank for many schools. For a few schools, the Job field contains actual job titles (e.g. ‘Teacher’) or student grade level (e.g. ‘Grade 07’).
    • Most schools that downloaded and analyzed their data said it appears to be very recent, thus we believe this is not a repost of previously gathered data but rather very recently attained.
  • Posted Directory Data DID NOT originate from ClassLink because of the following
    • [UPDATED ON 7/13] About 40% of impacted organizations are NOT ClassLink customers.
    • Data samples offered in some of the posts are not contained within ClassLink systems (including Roster Server, OneSync, and LaunchPad).
    • ClassLink customers who have downloaded and analyzed their data have confirmed the records contained therein are not from their ClassLink systems, rather they have confirmed the source of the Posted Directory Data is their Google directory.
  • Preliminary findings
    • As the source of the Posted Directory Data seems to be from Google or O365 directories,(the threat actor made this claim here), this suggests:
      • a scrape of the organization’s Google or 365 directories using a user account attained through phishing
      • a third-party app (or its APIs) may have been compromised

What Do We Recommend As the Next Steps?

  • Activate your Security Incident Response Protocol if your school organization has been specifically named.
  • Investigate what level of directory access or third party apps might be unique to the specific group of user accounts in the Posted Directory Data (easier for those schools where the Posted Directory Data is a smaller subset of their overall school population).
    • [UPDATED ON 09/01] ClassLink Administrators, check out the Scope Your Google Directory course in ClassLink Academy. The course covers how to mitigate the risk of data scraping by leveraging custom attributes, OU visibility settings, API controls, and more.
  • ClassLink is supporting its customers by creating a space for school leaders to share information and determine the root cause of this incident.

Although ClassLink did NOT cause this incident, we remain committed to supporting our school organizations and will continue to provide updates as we are made aware of them. Please reach out to Jeff Janover, VP of Security and Interoperability at jeff.janover@classlink.com with any questions.

Stay safe.

Categories:

ClassLink

About the Author

About the Authors

Stanley Watts

Chief Technology Officer

,

ClassLink

,