PowerSchool Hack; Takedowns and Arrests and Leaks, Oh My!; and ITRC Breach Report Findings 

There’s been quite a few hacks, takedowns-arrests-leaks, and insights from the Identity Theft Resource Center (ITRC) 2024 Breach Report. 

Dive into the most pressing recent stories on data leaks, cybercrime, and the dark web with security researcher Nick Ascoli on the podcast Leaky Weekly.

On this episode of Leaky Weekly, Nick covers:

• PowerSchool hack
• Cracked & Nulled takedowns and arrests
• Otelier data leak
• ITRC 2024 Breach Report findings
• DeepSeek data leak

Tune in for current events on the podcast below at Spotify, at Apple Podcasts, check out the video episode on YouTube, or keep reading this article for the highlights.

These are all developing stories that we covered very briefly, so check out cybersecurity news outlets to stay up-to-date. We couldn’t cover everything in the last few weeks or so, and we’ll look into new stories and developments next time.

PowerSchool Hack

PowerSchool, a popular student information system software, used by roughly 16,000 customers that serve 50 million students, was hacked using a stolen credential, leading to exposing student data. Currently the leading narrative appears to be that stolen credentials that weren’t 2FA-enabled were available on the dark web to log in to this portal. 

Schools use this software to track information about students including their:

• Name
• Birthday
• Address
• Parents and legal guardians

Some districts also track:

• Social security numbers
• Health records
• Disciplinary records

This represents the largest leak that impacts children under the age of 18 in the United States. 

PowerSchool paid the threat actor to delete the data, which is a common practice with extortion groups. The threat actors behind the Snowflake tenant campaign also extorted victim organizations this way.

On Paying Threat Actors to Delete Data…

Extortion groups’ campaigns have been getting more coverage in the news. Victim organizations may pay the fee for threat actors to delete their stolen data (and to not release it), but there is no guarantee of this happening.

In a prominent recent example, the threat actor Waifu extorted AT&T out of over $370,000 to delete the data, which he sent a video of himself doing. However, it was well-known that he was exchanging this data with other threat actors, including making the download link public at one point.

It is possible that extortion groups have only one copy of the data and delete it when asked, but it’s safer to assume that a few other people have this data, at the very least within the extortion group itself. 

With the PowerSchool hack, the threat actor has not released the data, as it has at least not in a way that is public, made its way onto major hacking forums or cybercrime groups.

Cracked and Nulled Takedowns and Arrests

Europol and the U.S. Department of Justice announced that “Operation Talent” was responsible for the takedown of Cracked and Nulled, two major hacking forums.

The operation by the numbers (according to law enforcement):

• Two arrests (in Spain)
• Seven properties searched 
• 17 servers and more than 50 electronic devices were taken into evidence
• Roughly $310,000 in cash and crypto was found

Keep reading for an explanation of what sites were taken down and what they did.

Cracked 

Cracked is a hacking forum that has been around since 2018, a popular place for combolists, hacking tools, and people advertising services. Cracked had about four million users, and was estimated to generate – just itself, $4 million in revenue, this is not counting the many transactions it facilitated.

Nulled

Nulled has been around a bit longer, since around 2016. It had about five million users, and was estimated to generate an annual revenue of about $1 million annually.

The English-speaking and Russian-speaking cybercrime communities are mostly covered in the U.S. and EU. This includes about 100 cybercrime forums, and a handful have substantial user bases and traffic, and thus stories covered on the news. Cracked and Nulled are both included in that handful. 

Sellix and MySellix

Cracked, StarkRDP and RDP.sh used Sellix as a payment processor, and it’s well known that the original founder of Cracked was also the founder of Sellix.

Interestingly, one of Sellix’s not-seized domains Sellix.com, currently has an official statement on Operation Talent, clarifying they were not aware of any specific illegal transactions through its platform in connection with Cracked. With that said, the founder of Cracked co-founded Sellix.

StarkRDP and RDP.sh

Both StarkRDP and RDP.sh were heavily advertised on Cracked and Nulled as a place to rent virtual servers. 

Otelier Data Leak

Otelier is a popular hotel management platform used by major global hotel chains at more than 10,000 hotels. A threat actor accessed Otelier’s AWS instance from July to October 2024, and attackers claimed to have stolen about eight terabytes of data from their S3. 

This leak continues in the disturbing trend covered on this show of low effort extortion that works–extortion groups steal credentials without ransomware, tools, or malware development. As IBM X-FORCE’s 2024 Threat Intelligence Report stated, ““In this era, the focus has shifted to logging in rather than hacking in.” 

Much like the PowerSchool hack, the root cause of the leak according to Otelier is a stolen employee credential. A vast vast majority of root causes of leaks are either stolen credentials on sale on the dark web or from a stealer log.

DeepSeek Data Leak

DeepSeek accidentally exposed an internal ClickHouse database to the public. ClickHouse is a popular open source database software, and lots of organizations like eBay and Uber use it for ingesting large amounts of user activity logs from their platform activity to search for anomalies, analyze user behaviors, and train machine learning models over massive data sets. 

In this public and unauthenticated database was over a million lines of log streams containing:

• Chat history
• Secret keys
• Backend details
• And other highly sensitive information

There were several tables, and according to Wiz, the log streams were the most interesting. What they did was: 

Did active and passive DNS to find subdomains. Then, they did queries for open ports that were not the expected standard web ports, 80 and 443. From there they found two open ports that caught their eye, 8123 and 9000. They accessed the 8123 host, which was the HTTP interface for ClickHouse. Then they ran the showtables command. They saw the log_stream table in the list, ran select * from log_stream, and BOOM – had raw logs from tons of DeepSeek services, including:

• Their API backend
• Chat backend that had chat logs
• Platform backend
• Usage checker
• and probably more, but they don’t list them
  • Within these logs were columns such as:
    • Timestamp – the timestamp of the log, they found logs dating back from January 6th, 2025
    • span_name –  which referenced internal DeepSeek API endpoints
    • _service that indicated which deepseek service generated the log
    • strings.values: which were plaintext logs with chat history, API keys, backend details, and operational metadata
    • _source: which exposed the origin of the log requests, and also contained chat history, API kets, directory structure, and chatbot metadata logs 

ITRC 2024 Breach Report Findings

The ITRC (Identity Theft Resource Center), has published the 2024 Breach Report, listing the top 5 compromises by victim count, and for these breaches they sent notifications to the victims:

1. Ticketmaster Entertainment, LLC (560 million victim notices)
2. Advance Auto Parts, Inc. (380 million notices)
3. Change Healthcare (190 million notices)
4. DemandScience by Pure Incubation (121.8 million notices)
5. AT&T (110 million victim notices)

Something to note: Three of these five breaches are from one campaign targeting Snowflake accounts that did not have 2 factor authentication configured. (This is not Snowflake’s fault as their customers are responsible for their own authentication settings)

The Snowflake leak impacted over 160 companies, evidently three of these being some of the largest data breaches of the year, so that’s a wild scale.

Leaky Weekly and Flare Academy

Leaky Weekly is brought to you by Flare, the world’s easiest to use and most comprehensive cybercrime database that integrates into your security program in 30 minutes.

Flare now offers Flare Academy, which can elevate your cybersecurity career. Our (free!) training series are led by experts that cover critical topics such as threat intelligence, operational security, and advanced investigation techniques. You can also earn CPE credits toward your cybersecurity certifications. 

Join the Flare Academy Community Discord to keep up with upcoming training, check out previous training resources, chat with cybersecurity professionals (including Nick!), and more.