It looks like “SingularityMD,” the hacker(s) of Clark County School District in Nevada and Jeffco Public Schools in Colorado, are looking to start selling the data they exfiltrated.
In an introductory post today on Breach Forums, they write:
We are SingularityMD.
We specialize in low sophistication corporate network infiltration.
We are behind the following hacks
We have access to a lot of organizational data and would like a place to sell it.
We plan to sell the Jeffco data breach dataset and some parts of CCSD which has not previously been leaked.
We have data for additional organizations we will sell over time.
Attempting to sell data on the popular forum is somewhat of a game-changer, as even if they sell data to just one buyer, there is no way to know how many others will buy the data from the original purchaser. The buyer might keep it privately or choose to re-sell it to any number of buyers. Or if there’s no buyer, SingularityMD might just leak the data (give it away freely on the forum).
In communications with DataBreaches tonight, SingularityMD confirmed that was the plan, writing:
With the jeffco data we are attempting to sell it now to the highest bidder on breachforums among others. So it may take longer to appear in the public domain and may actually not be made public. We will likely leak whatever we cannot sell.
SingularityMD also responded to an inquiry from DataBreaches asking whether there are other victims:
We have performed data collection on two districts since, though much smaller 30k students and 80k students. Working to understand if there is a better way to be paid for our efforts – likely by selling to data directly and staying out of the news so much. May not announce future work.
DataBreaches understands that SingularityMD’s willingness to share some details with DataBreaches has led some districts to start requiring 2FA or MFA where they hadn’t required it before, and to begin to address known security issues. DataBreaches has also contacted Infinite Campus about one issue and will update this post if an answer is received, but will not even mention the issue for now so as not to encourage exploitation of it.
But apart from the issue DataBreaches has raised with Infinite Campus and some questions this site has submitted to Google that also await answers, one of the questions DataBreaches put to SingularityMD concerned whether they had ever exploited o365 like they had Google Apps. Their answer:
Yes, there is a specific school district which used their student ID as the email address and the password is the student ID and the student initials.
They did take precaution to prevent the names from showing anywhere with the email address in google apps unless students added to their address book but through o365 we managed to expose the names and have access to all accounts.
Where used, o365 2fa is harder to circumnavigate though.
DataBreaches will continue to follow developments in these breaches.