On February 24, 2017, PowerSchool Learning’s provider of DDoS mitigation services, Cloudflare, announced a memory leak. PowerSchool uses Cloudflare to ensure that your services are available when attackers try to deny you access to them by overwhelming our servers with requests. Cloudflare also makes response times faster for you by holding some data closer to you.
In some unusual circumstances, Cloudflare edge servers ran past the end of a buffer and returned memory that contained information from other customers, inadvertently exposing data. In some cases the information was cached by a search engine.
Cloudflare has reported: “The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests).” PowerSchool Learning traffic is a small piece of the traffic Cloudflare serves daily.
The odds are very low that PowerSchool Learning confidential data was leaked due to the parser bug. PowerSchool products aside from PowerSchool Learning utilize a different DDoS mitigation service and are thus unaffected.
What steps is PowerSchool taking to respond?
Although the risk that data leaked is low, we are taking all reasonable and appropriate precautions. Out of an abundance of caution, we are revoking all API access tokens to enforce a credential refresh and we are refreshing all internal administrative passwords.
What should I do as a PowerSchool Learning User?
We advise that you take the normal, sensible precautions you always take to protect your identity and information. Change your password on a regular basis. (Now would be a very good time, given Cloudflare's announcement!) As always, be cautious when providing personal information on the internet and be wary of emails from unexpected sources with unknown attachments.