Paterson Public Schools suffered data breach compromising over 23,000 school district passwords

• The stolen data includes desktop logins, email usernames and passwords, and laptop credentials.
• The stolen email usernames and passwords belong to the school district employees including the superintendent, administrators, teachers, and other staff members.

What is the issue?

Attackers breached Paterson Public Schools and stole over 23,103 account passwords and other computer access tokens.

What was stolen?

• The stolen data includes desktop logins, email usernames and passwords, and laptop credentials.
• There’s no evidence of any financial data stolen, however, if bank account details were on computer files then the attacker might have stolen the information.

Worth noting

• The stolen email usernames and passwords belong to the school district employees including the superintendent, administrators, teachers, and other staff members.
• The stolen credentials were stored in a file that runs more than 116,000 lines.
• The stolen usernames are in plain text, while the passwords are encrypted yet easy to crack.

Attacker contacted the Paterson times

The Paterson times became aware of the breach first even before the school district.

The attacker contacted the Paterson times via an email claiming that he had access to “all information systems” in the district. He then followed up providing screenshots of two district employees’ Outlook email inboxes.

The attacker claimed that the information was stolen in October 2018 and that he still has access to the district systems. The attacker also proposed to sell the stolen data to the Paterson Times but was rejected.

The attacker was reportedly spooked when the Paterson Times said that the information will be used for a news story. Later, the attacker canceled the email account that was being used to communicate with the newspaper.

What’s the conclusion?

While the school district is conducting a comprehensive investigation on the incident, employees are requested to reset their passwords and never reuse passwords across multiple accounts.