Full Report
Google is working to resolve authentication failures preventing users from signing into their Clever and ClassLink accounts on some ChromeOS devices. [...]
Analysis Summary
# Incident Report: ChromeOS Authentication Failures Affecting SSO Access
## Executive Summary
A recent update to ChromeOS (version 16328.55.0 with Chrome browser 139.0.7258.137) introduced an issue causing widespread authentication failures for users attempting to sign into third-party educational platforms like Clever and ClassLink via Single Sign-On (SSO). The impact primarily affected educational institutions relying on these services. Google mitigated the immediate impact by providing administrators with two workarounds: rolling back the OS version or modifying the authentication flow.
## Incident Details
- **Discovery Date:** Prior to or around August 28, 2025 (when the status update occurred).
- **Incident Date:** Occurred following an update to ChromeOS version 16328.55.0 / Chrome browser 139.0.7258.137.
- **Affected Organization:** Organizations using ChromeOS devices in educational settings (K-12/Higher Education).
- **Sector:** Education Technology.
- **Geography:** Global, affecting users served by Clever and ClassLink (including 50 U.S. states and 42 countries).
## Timeline of Events
### Initial Access
- **Date/Time:** Following the deployment of ChromeOS version 16328.55.0 / Chrome browser 139.0.7258.137.
- **Vector:** Software update mechanism (automatic OS update).
- **Details:** The specific software update introduced a faulty authentication pathway.
### Lateral Movement
* Not applicable, this was an access/authentication failure issue, not a network compromise.
### Data Exfiltration/Impact
- **What was stolen or damaged:** Access disruption to digital resources managed by Clever and ClassLink. Potential blockage of 2-Step Verification (2SV) processes for some Google services.
### Detection & Response
- **How it was discovered:** Users reported inability to log in, leading to escalation on the Google Workspace Status Dashboard and partner status pages (Clever).
- **Response actions taken:** Google shared two temporary workarounds: OS rollback or modification of the authentication flow setting.
## Attack Methodology
- **Initial Access:** Not an external attack; issue stemmed from a system update.
- **Persistence:** Not applicable.
- **Privilege Escalation:** Not applicable.
- **Defense Evasion:** Not applicable.
- **Credential Access:** Not applicable.
- **Discovery:** Not applicable.
- **Lateral Movement:** Not applicable.
- **Collection:** Not applicable.
- **Exfiltration:** Not applicable.
- **Impact:** Authentication mechanism failure.
## Impact Assessment
- **Financial:** Not disclosed, but potential lost productivity for educators and students.
- **Data Breach:** None indicated; the issue was related to authentication and access control.
- **Operational:** Significant disruption to Single Sign-On access for students and staff relying on Clever and ClassLink to access digital learning resources. Potential interruption to 2SV processes.
- **Reputational:** Minor if quickly resolved, but ongoing failures in critical educational access tools impact trust.
## Indicators of Compromise
- **Network indicators - defanged:** N/A (issue tied to OS version/configuration).
- **File indicators:** Affected devices running ChromeOS version 16328.55.0 with Chrome browser version 139.0.7258.137.
- **Behavioral indicators:** Authentication process failures when signing into Clever or ClassLink accounts using Google credentials, and potential failures in 2SV prompts.
## Response Actions
- **Containment measures:** Temporarily disabling the problematic authentication pathway by instructing administrators to modify the setting to use "Authentication via the default GAIA flow."
- **Eradication steps:** Engineering teams conducted automated testing on a potential fix for the faulty pathway.
- **Recovery actions:** Administrators were instructed to roll back devices to the previous stable ChromeOS M138 version if desired, or wait for the permanent software patch.
## Lessons Learned
- **Key takeaways:** Software updates, even internal ones, can introduce significant compatibility or functionality breaks, especially when integrated with critical third-party SSO identity providers used widely in sensitive sectors like education.
- **What could have been done better:** Tighter integration testing between ChromeOS updates and established educational SSO partners (Clever/ClassLink) might have caught the authentication regression pre-release.
## Recommendations
- **Prevention measures for similar incidents:**
1. Implement stricter version control and staging environments for mission-critical operating system versions before mass deployment.
2. Establish Service Level Agreements (SLAs) or pre-release testing protocols with key infrastructure partners (like Clever/ClassLink) covering critical login paths.
3. Mandate that administrators utilize the provided rollback mechanism for critical operational breaks until a permanent, verified fix is deployed.