Software maker Brightly has confirmed that hackers stole nearly three million SchoolDude user accounts in an April data breach.
SchoolDude is a cloud-based work order management system primarily used by schools and universities to submit and track maintenance orders. The users are school employees, such as principals, supervisors, and maintenance workers, as well as students and other staff who submit repair requests.
In a notification of a data breach filed with the Maine Attorney General’s office, Brightly said it notified both former and current clients that the hackers took their names, email addresses, account passwords and phone numbers, if added to the account. The data also includes the names of school districts.
Brightly said it was resetting customers’ passwords, a common practice when user logins are exposed. The company warned users to change passwords on other online accounts that use the same credentials as SchoolDude. This refers to credential stuffing, where hackers use passwords from previous data breaches to break into other user accounts using the same passwords. A system administrator on Reddit, who received the notification of the data breach, says the stolen passwords were not encrypted.
When reached for comment, spokesperson Annie Satow did not dispute that the stolen SchoolDude passwords were not encrypted, but declined to comment beyond the company’s data breach notification. Brightly also declined to say how the breach happened, or who – if anyone – was responsible for overseeing cybersecurity at the company at the time of the breach.
Brightly said in its post that it discovered the breach on April 28, more than a week after the massive data theft.
Siemens bought Brightly, formerly known as Dude Solutions, from private equity owner Clearlake Capital in 2022 in a $1.6 billion deal. At the time, Brightly said it had 12,000 corporate customers, mostly in the UK, Canada, Australia and the United States.