Full Report
As noted on Reddit, PowerSchool appears to have been one of many victims of the Salesloft Drift/Salesforce campaign by Scattered LAPSUS$ Hunters. Like many other victims, PowerSchool did not disclose the incident publicly, but they did, however, post a notice in their closed users group. The notice was removed shortly thereafter, and several people have... Source
Analysis Summary
# Incident Report: PowerSchool Compromise via Salesloft/Drift Integration
## Executive Summary
PowerSchool was affected by a security incident originating from a compromise within the Salesloft Drift application, which resulted in unauthorized access to PowerSchool's Salesforce database used for customer support. The attacker's primary goal appeared to be credential theft. While PowerSchool contained the incident to the Salesforce environment and claimed no other systems were affected, the breach exposed customer contact information, support case metadata, and case contents. The threat actor, identified as associated with the "Salesloft Drift campaign (UNC6395)," claims the targeting was coincidental and has assured PowerSchool no ransom demand will be made.
## Incident Details
- **Discovery Date:** August 23, 2025 (Date PowerSchool was notified)
- **Incident Date:** On or before August 23, 2025
- **Affected Organization:** PowerSchool
- **Sector:** Education Technology (EdTech)
- **Geography:** Not explicitly disclosed, implies US operations based on reporting context.
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to August 23, 2025
- **Vector:** Compromise originating from the Salesloft Drift application integration utilized by PowerSchool.
- **Details:** Threat actor gained unauthorized access to the Salesforce database utilized by PowerSchool for customer support and internal case management.
### Lateral Movement
- **Details:** Details on lateral movement *within PowerSchool's network* are not provided. The confirmed breach was isolated to the third-party Salesforce environment accessed via the Salesloft integration. The attackers claim their initial targets were IT/tech industries broadly reached via Salesloft customers.
### Data Exfiltration/Impact
- **Details:** Customer contact information, support case metadata, and the contents of support case communications were accessed. The main motivation cited by Salesloft was credential theft.
### Detection & Response
- **How it was discovered:** PowerSchool was notified of the security incident involving the Drift app on August 23, 2025.
- **Response actions taken:** PowerSchool notified users via an internal, later-removed notice in their closed users group, advised customers to check support cases for inadvertently submitted credentials, and stressed not sending credentials to vendors.
## Attack Methodology
- **Initial Access:** Compromise stemming from a third-party integration (Salesloft Drift).
- **Persistence:** Not explicitly detailed, but access was gained to the Salesforce environment.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Motivated by stealing credentials, likely harvested from support case contents within the breached database.
- **Discovery:** Not detailed (likely internal scoping within the accessed Salesforce database).
- **Lateral Movement:** Restricted to the compromised Salesforce database environment; no evidence of spread to PowerSchool production infrastructure.
- **Collection:** Gathering customer contact info, case metadata, and case communications.
- **Exfiltration:** Data theft occurred from the Salesforce database.
- **Impact:** Unauthorized access and potential exposure of sensitive customer communication data.
## Impact Assessment
- **Financial:** No financial costs or ransom demands mentioned in relation to *this specific breach*. (Note: PowerSchool was dealing with ramifications from a previous 2024 breach.)
- **Data Breach:** Customer contact information, support case metadata, contents of support case communications.
- **Operational:** No evidence suggests disruption to PowerSchool production systems or infrastructure outside of the Salesforce environment.
- **Reputational:** Negative impact due to disclosure via internal groups and subsequent difficulty responding to public inquiries afterwards.
## Indicators of Compromise
- **Network indicators - defanged:** N/A (No specific C2 or IP addresses mentioned related to this access vector).
- **File indicators:** N/A
- **Behavioral indicators:** Unauthorized access to the Salesforce customer support database leveraged by the Salesloft integration.
## Response Actions
- **Containment measures:** Isolation of the incident to the Salesforce database; statement confirms no other PowerSchool infrastructure was affected.
- **Eradication steps:** Not detailed, but implied steps to remediate or secure the connection/data within Salesforce if required.
- **Recovery actions:** Communication to customers advising them to change credentials that may have been exposed in support requests.
## Lessons Learned
- Relying on third-party applications like Salesloft/Drift, which integrate deeply with sensitive environments (Salesforce), introduces significant supply chain risk.
- **Critical Need for Security Best Practices:** Customers were reminded not to submit credentials to vendors via standard support channels.
- Insufficient transparency: The initial notice was posted in a closed group and quickly removed, leading to difficulty in obtaining information externally.
## Recommendations
- Immediately review and audit all third-party integrations accessing sensitive customer data environments (e.g., Salesforce).
- Implement strict policies forbidding the submission of credentials via support tickets across all vendor platforms.
- Enhance monitoring capability around the specific Salesforce instance accessed via the Salesloft integration.