Skoolbeep, an education technology company providing communication software for schools, parents, and students, has suffered a severe cyberattack. The incident, which began with a major data leak in late October, has now escalated into an active campaign to steal user login credentials.
What Happened?
The security failure occurred in two phases. First, in late October 2025, a cybercriminal using the alias “888” stole approximately 3.9 gigabytes of Skoolbeep’s internal data and published it on a dark web forum. This massive leak included the application’s source code, internal configuration files, and a vast amount of sensitive personal information.
Second, using the information from this leak, cybercriminals have launched a new, targeted attack. As of November 5, 2025, evidence shows that malware, including the “Redline Stealer,” is being used to actively steal usernames and passwords from Skoolbeep users. These attacks are likely delivered through highly convincing phishing emails, tricking users into running malicious software.
What Information Was Exposed and What’s the Risk?
This breach is critical because it exposed both the company’s internal secrets and its users’ personal data.
- For Individuals (Parents, Staff, Students): The leak exposed full names, email addresses, phone numbers, physical addresses, dates of birth, and sensitive national ID numbers (including PAN, GST, and Aadhaar numbers). This creates a high risk of identity theft, targeted financial fraud (especially related to school fee payments), and highly convincing phishing scams.
- For Skoolbeep (The Company): The leak exposed the application’s core programming, database passwords, and cloud service keys (including for Amazon Web Services). This gives attackers the “keys to the kingdom,” risking a complete compromise of their infrastructure, service disruption, and severe regulatory penalties.
Actions
If you are a Skoolbeep user (parent, teacher, or staff), you must take immediate action:
- Change Your Password: Log into your Skoolbeep account now and change your password to a new, strong, and unique one.
- Enable Multi-Factor Authentication (MFA): If Skoolbeep offers MFA (a secondary code, usually from your phone), enable it immediately. This is the single best defense against password theft.
- Be Vigilant: Be extremely suspicious of any emails, texts, or calls asking for login details or payments, even if they appear to be from Skoolbeep or your school. Do not click links or download attachments from unexpected emails. Verify any payment requests by contacting your school through a separate, official channel.
For Security Teams
SOC analysts and IT professionals should be aware of the specific TTPs and IOCs related to this incident. The initial breach appears to stem from a web application compromise (T1190/T1506) leading to the exfiltration of unsecured credentials (T1552) from configuration files. The second phase leverages this PII for user-targeted credential harvesting (T1566) via info-stealer malware (T1555).
Key Indicators of Compromise (IOCs):
- Threat Actor:
888(Handle on “DarkForums”) - Malware: Redline Stealer, Mixed Info-Stealer Logs
- Targeted Domain:
skoolbeep.com - Targeted URL:
https://www.skoolbeep.com/login - Critical Leaked Files (Indicator of Compromise):
.env,database.php,wp-config.php,aws-config.php,JwtTokenAuthenticate.php - Known Compromised Credentials (from malware logs):
9632243344/8236979095258525/414856- (and others including
Aarush123,abcd1234)
