Brightly says SchoolDude data breach spilled 3 million user accounts

Software maker Brightly has confirmed that hackers stole close to three million SchoolDude user accounts in an April data breach.

SchoolDude is a cloud-based work order management system, used primarily by schools and universities, to submit and track maintenance orders. Its users are school employees, like principals, executives and maintenance workers, as well as students and other staff submitting repair requests.

In a data breach notice filed with the Maine attorney general's office, Brightly said it was notifying both past and present customers that the hackers took their names, email addresses, account passwords and phone numbers, if added to the account. The data also includes the names of school districts.

Brightly said it reset customer passwords, a common practice when user logins are exposed. The company warned users to change passwords on other online accounts that use the same credentials as they used on SchoolDude. This refers to credential stuffing, where hackers use passwords from previous data breaches to break into other user accounts with the same passwords. One sysadmin on Reddit, who received the data breach notice, says the stolen passwords were not encrypted.

When reached for comment, spokesperson Annie Satow did not dispute that the stolen SchoolDude passwords were unencrypted, but declined to comment beyond the company's data breach notice. Brightly also declined to say how the breach occurred, or say who — if anyone — was responsible for overseeing cybersecurity at the company at the time of the breach.

Brightly said in its notice that it discovered the breach on April 28, more than a week after the mass data theft.

Siemens bought Brightly, previously known as Dude Solutions, in 2022 from private equity owner Clearlake Capital in a $1.6 billion deal. At the time, Brightly said it had 12,000 enterprise customers, mainly across the U.K., Canada, Australia, and the United States.