Software maker Brightly confirmed that hackers stole nearly three million SchoolDude user accounts in an April data breach.
SchoolDude is a cloud-based work order management system, used by schools and universities, to submit and track maintenance orders. Its users are both school employees, such as principals, executives and maintenance workers, as well as students and other staff who submit repair requests.
In a data breach notice filed with the Maine attorney general’s office, Brightly said it notified past and current customers that hackers took their names, email addresses, passwords to account and phone number, if added to the account. The data also includes the names of school districts.
It clearly says it resets customer passwords, a common practice when passwords are exposed. The company warned users to change the passwords of other online accounts that use the same SchoolDude password. This refers to credential stuffing, where hackers use passwords from previous data breaches to gain access to other user accounts with similar passwords. A Reddit sysadmin, who received the notification of the data breach, said that the stolen passwords were not encrypted.
When reached for comment, spokeswoman Annie Satow did not dispute that the stolen SchoolDude passwords were not encrypted, but declined to comment beyond the company’s data breach notification. Bright also declined to say how the breach occurred, or to say who — if anyone — was responsible for managing the company’s cybersecurity at the time of the breach.
Its announcement clearly stated that the breach was discovered on April 28, more than a week after the mass data theft.
Siemens bought Brightly, formerly known as Dude Solutions, in 2022 from private equity owner Clearlake Capital in a $1.6 billion deal. At the time, Brightly said it had 12,000 business customers, mainly in the UK, Canada, Australia, and the United States.