On November 2, DataBreaches reported that the same threat actors that had hacked and exfiltrated data from Clark County School District in Las Vegas had also hit Jeffco Public Schools in Colorado. In communications shared with DataBreaches, “SingularityMD” as the hackers call themselves gave the district until today at 5 pm today to pay them $15,000 in Monero cryptocurrency.
Unbeknownst DataBreaches until now was that the hackers had also sent an email to Jill Ibeck, the district’s Chief Information Office (CIO) and other staff members in response to a district email. In their email to the CIO, the hackers commented:
A global password reset for teachers is relevant and a step in the correct direction, however, if student accounts are still compromised due to the use of birthdates as passwords, and all the infinite campus for students is already leaked then, we, the hackers have access to most student accounts still, and can simply access the teacher network again as soon as a teacher makes a security blunder.
They also noted the district’s lack of response to them, adding:
Without some indication of cooperation, we have to assume that you are not planning on complying with our requests. In this case we may as well make more trouble for you to show the next school district that it makes more sense to work with us as opposed to against us.
It appears that the email did not produce the results they desired, and today, they sent another email to the CIO with an even bigger distribution list. Noting the district’s continued lack of response, they wrote:
Looking at your lack of cooperation, we anticipate that you are unlikely to cooperate with us.
We would like to make it clear that we do not want to upload all of your stolen information. We also would like to show other school districts and organizations that SingularityMD does keep its word with regards to destruction on payment.
Theirfore we are willing to reduce the fee for disposal of the stolen information down to $2,000 USD in Monero (XMR).
They also indicated a willingness to extend the deadline to enable them to consider their offer and to complete the password resets across the organization that still had not been completed.
The email also reminded the district what would happen if they didn’t hear from them by the 5 pm deadline.
Five minutes before the 5 pm deadline, the hackers emailed thousands of parents and sent them the correspondence between the hackers and the district. They then sent Jeffco another email saying:
We have notified 3k parents and some news outlets, providing full correspondance. As such, we will grant 24 hours extension to let parents weigh in on the matter.
As yet, we have not leaked any private information.
Will the district decide to pay $2000.00 to get the hackers not to leak data and to destroy what they have downloaded from the district or will they stand on principle and not pay? Will parents pressure the district to pay to protect their children’s personal information? Will teachers pressure them to pay to protect their information?
And even if they pay, what will prevent another breach if they don’t take significant steps to address security vulnerabilities?
DataBreaches will continue to monitor this incident.
Update 1: Based on questions DataBreaches received from readers, DataBreaches asked SingularityMD some additional questions.
First, in response to a question as to what they would do if a parent paid the $2,000.00 — whether they would still destroy all the data they had exfiltrated and not leak it, SingularityMD answered that yes, they would not leak the data and would destroy it.
Second, in response to whether they would still provide the district with a written report if they were paid $2,000.00 by a parent, they said that there would be no written report for that amount, but they would explain the issues.
Third, in response to DataBreaches mentioning that they have made an impact as this site is hearing that not only has Infinite Campus sent out a memo, but Google seems to have taken notice, too, they replied, in part,
We have seen google start to put captcha’s on google groups in what we perceive to be an attempt to prevent the extraction of a group as we have previously for CCSD and Jeffco.
They also wrote they
suspect IC know about it as they are recommending 2FA now for all accounts, as you pointed out. We have accessed yet another school district IC as a teacher this week and now it sends a login notice (You have logged in from a new device) to the associated email address. It did catch us out and one teacher changed their password as a result, but for the district in question, we already had access to another teachers email and in their case we could delete the notice before it was seen.
————
Update: See the latest developments in the new post, Time’s up: SingularityMD sets up to sell data from Jeffco Public Schools.
Jeffco is being lazy at informing us. As a student, I had to go out of my way to research any available information that might tell us what’s happening. Thank you so much for these insightful articles.
You’re welcome. I don’t think the district is being lazy. This is intentional non-disclosure.
i am a jeffco student (using a burner email to protect my identity): i asked my teachers what was going on but they told me to shut up and get back to working so i had to go out of my way. i told them not to put in the new e hall pass thing and they did AND A DAY LATER, JEFFCO GETS HACKED. i am not one to get into conspiracies but it could be more than a coincidence. also, I WARNED THEM NOT TO USE BIRTHDAYS AS PASSWORDS I FUCKING WARNED THEM SO THEY CHANGED IT TO SOMETHING WHERE THE MOST UNIQUE ELEMENT IS IN MY GODDAMN EMAIL!! WTF JEFFCO! also unrelated but i looked up Anihi Blep, the guy who sent the email and basically, jeffco got hacked by a FUCKING FURRY
I am also a jeffco student, this is not confirmed but some evidence points me to think that Singularity was able to get the DNS keys and take it over like they did with Clark county. (Burner email to protect privacy)
That’s not how they claim to have gained access.
I’m not claiming that it was how they claimed to gain access. They gained access due to students having too much PII on socials. I’m saying I’m suspicious that the DNS keys were hijacked
It seems like either jeffco or singularity changed all the temp passwords. tons of students lost access. this is either a really good or really really bad thing. radio silence from both sides so who knows
When did this happen?
Okay, according to SingularityMD, this is not a new development but is what happened when Jeffco attempted to try to block them from logging in after the district realized they could access any student account.
Please note there is a new post up tonight that you may want to see at https://www.databreaches.net/times-up-singularitymd-sets-up-to-sell-data-from-jeffco-public-schools/