{
	"id": "7a4d6620-7925-4a4c-a53d-d244cc56d478",
	"created_at": "2026-04-09T02:22:43.6914Z",
	"updated_at": "2026-04-10T13:11:28.937268Z",
	"deleted_at": null,
	"sha1_hash": "8ec386e23c6c3f3760e6cc5858ebf5dc737ceb2d",
	"title": "Jeffco Public Schools hit by the same threat actors that hit Clark County School District -- and via the same way - DataBreaches.Net",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 55499,
	"plain_text": "Jeffco Public Schools hit by the same threat actors that hit Clark\r\nCounty School District -- and via the same way - DataBreaches.Net\r\nPublished: 2023-11-02 · Archived: 2026-04-09 02:02:31 UTC\r\nHow many school districts have to get massively hacked by the same method before the U.S. Department of\r\nEducation, CISA, and states start really pressuring public school districts to address well-known vulnerabilities\r\nthat are being exploited?  Maybe that shouldn’t be a rhetorical question.\r\nLast night, DataBreaches was contacted by the same threat actors who claimed responsibility for the hack and data\r\nleak involving Clark County School District   (CCSD) in Nevada.  Of special note, in an interview with\r\nDataBreaches, they revealed how they had gained access to the district’s network.\r\nSingularityMD (as the threat actors call themselves, but note there is no connection to a business with the same\r\nname) provided DataBreaches with a link to a notice by Jeffco Public Schools in Colorado. The notice, dated\r\nNovember 1, stated:\r\nOn October 31, some Jeffco staff members received alarming email messages from an external\r\ncybersecurity threat actor – an individual who has allegedly committed an illegal cybercrime against an\r\ninstitution or organization – indicating a cyber-attack. Jeffco’s Information Technology team is working\r\ntogether with cybersecurity experts and law enforcement to determine the credibility of the attack and\r\nscope of the incident. This is a cyberthreat and there is no concern related to physical safety.\r\nJeffco Public Schools takes data security very seriously and has procedures in place to respond to this\r\ntype of situation given the unfortunate frequency of such incidents across all industries including\r\neducation. Keeping our students and staff safe and communicating openly with our families are core to\r\nJeffco’s values.\r\nThis webpage will be updated with more information as it becomes available.\r\nThere has been no substantive update since then.\r\nThe “alarming message”\r\nThe “alarming message” was an email with the subject line Notice of Security Breach.\r\nThe sender was “Anihi Blep” using a mail.com address. DataBreaches had received email from that sender and\r\nemail address in the past following the CCSD breach. The body of the email began:\r\nWe, SingularityMD have included a few relevant parties directly and a selection of principals on cc.\r\nYour overall approach to cyber security is too relaxed.\r\nWe have illegally accessed your network and downloaded the following:\r\nhttps://www.databreaches.net/jeffco-public-schools-hit-by-the-same-threat-actors-that-hit-clark-county-school-district-and-via-the-same-way/\r\nPage 1 of 3\n\nStaff phone, home addresses, title and a few other details.\r\nParent and Student contact information (past and present) – 90,000 students\r\nStudent school email addresses, emergency contacts name, phone and email, student birthdates –\r\n90,000 students\r\nFull backup of your IT project management directory (this includes past and present projects,\r\nlots of confidential information and system configurations)\r\nAccessed the Follet FTPS from the project management directory and downloaded a full student\r\nlist (outdated). We already have this through your other systems such as infinite campus.\r\nSome financial documents\r\nExtracts from Group conversations (Golden HS Staff and Admin \u003e 2000 conversations and files)\r\nFull extract of IEP’s (Individualized Education Program) as at 2020\r\nThe message pointed recipients to previous reporting by DataBreaches about the CCSD breach and then noted:\r\nEither you can pay a fee for disposal of the stolen information or it will be uploaded and made broadly\r\navailable.\r\nThis cyber breach has not been politically motivated in any way, and is viewed by us as a business\r\ntransaction. We are the same team as behind Clark County School District on the 5th October. They\r\nchose not to pay, we are eager for an opportunity to prove that we will destroy the documents on\r\npayment as you will not be the last organization we work with. Due to the above factors the fee for\r\ndisposal in this instance, has been reduced to be far below what it should be.\r\nThe fee was listed as $15,000 in monero, to be paid by November 7.\r\nLinks to proof of claims were provided and the email also spelled out the consequences for failure to pay:\r\n1. All information will be uploaded to the dark web, and to the internet (repeatedly) in an easily digestible\r\nformat\r\n2. Included information about poor security practices on your part will be specifically mentioned in a top-level readme file\r\n3. Using all the Contact information available from your network, every affected parent and staff member will\r\nbe emailed with this information and links to this data leak with suggestions of a class action.\r\n4. News and media will be informed.\r\nA copy of the email, redacted by DataBreaches, appears below this article.\r\nSecond Verse, Same as the First\r\nDataBreaches contacted SingularityMD to ask them some preliminary questions. In response, they noted that the\r\nfirst gained access to Jeffco about six months ago — using exactly the same methods that they reported using for\r\nCCSD. Once again, a district’s policy of using students’ date of birth as their password enabled threat actors to\r\nrelatively easily gain access to the network. In discussing the CCSD attack with DataBreaches, SingularityMD\r\n(SM) had stated:\r\nhttps://www.databreaches.net/jeffco-public-schools-hit-by-the-same-threat-actors-that-hit-clark-county-school-district-and-via-the-same-way/\r\nPage 2 of 3\n\nSM: We compromised a student account, then accessed information available to any student to escalate\r\nfrom there to teacher to systems level access for one or two systems. This was not a fancy high tech\r\noperation.\r\nWhen DataBreaches asked how they were able to access the student’s account, they responded that they\r\nobtained the student’s date of birth (YYYYMMDD) from social media, and the email address from the\r\nstudent’s account on “TikTok, etc.” where the student ID had been used as the username because the\r\nstudent authenticated their school account when setting up the social media account.  Asked to explain\r\nwhat information was available to any student that allowed them to escalate from the student’s account\r\nto teacher to systems level, they replied:\r\nSM: Google groups and google drives, if not configured correctly will expose teachers and staff files\r\nand conversations. In rare instances teachers have created shared drives and given the google group\r\naccess to this drive. So if one was to add themselves to the group, they can then also access the drive\r\ncontents. Nothing fancy at all.\r\nAccording to SingularityMD, Jeffco’s security was not as weak as CCSD’s: “They are better than CCSD. Though\r\ntheir IT Project Management Office have made some significant blunders placing backups and system\r\nconfiguration files in arm’s reach by virtue of the same methods as used in CCSD – public groups and share\r\ndrives. Nothing Fancy.” But they added:\r\nThey are blocking student accounts I message them from, but do not realize that we can literally log\r\ninto 1 in 4 student accounts so have an endless supply of 80k accounts. So this would be points taken\r\noff.\r\nDataBreaches will be following up on this incident and notes that Jeffco did not respond to an email inquiry sent\r\nto it last night asking it to confirm or deny whether it used date of birth as student passwords and whether the\r\ndistrict was requiring an immediate password reset that doesn’t involve the use of date of birth.\r\nThe risks of using date of birth as passwords for student accounts has been recognized for years. The CCSD\r\nbreach has affected more than 200,000 students. The Jeffco one allegedly affects 90,000 students. Both breaches\r\nalso affect district employees.\r\nSo when will the U.S. Department of Education and/or states make it absolutely clear that districts should not use\r\ndate of birth as passwords and that districts may risk state enforcement action and/or risk losing federal funding\r\nfor failure to adequately protect student information if they continue to do so?\r\nSetting up fake worker failed: \"Cannot load script at: https://databreaches.net/wp-content/plugins/pdf-embedder/assets/js/pdfjs/pdf.worker.min.js?ver=2.2.228\".\r\nSource: https://www.databreaches.net/jeffco-public-schools-hit-by-the-same-threat-actors-that-hit-clark-county-school-district-and-via-the-sam\r\ne-way/\r\nhttps://www.databreaches.net/jeffco-public-schools-hit-by-the-same-threat-actors-that-hit-clark-county-school-district-and-via-the-same-way/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.databreaches.net/jeffco-public-schools-hit-by-the-same-threat-actors-that-hit-clark-county-school-district-and-via-the-same-way/"
	],
	"report_names": [
		"jeffco-public-schools-hit-by-the-same-threat-actors-that-hit-clark-county-school-district-and-via-the-same-way"
	],
	"threat_actors": [
		{
			"id": "e3780667-cbca-4671-a9ff-073305fdc58b",
			"created_at": "2023-11-10T02:00:07.49368Z",
			"updated_at": "2026-04-10T02:00:03.435856Z",
			"deleted_at": null,
			"main_name": "SingularityMD",
			"aliases": [],
			"source_name": "MISPGALAXY:SingularityMD",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775701363,
	"ts_updated_at": 1775826688,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8ec386e23c6c3f3760e6cc5858ebf5dc737ceb2d.pdf",
		"text": "https://archive.orkl.eu/8ec386e23c6c3f3760e6cc5858ebf5dc737ceb2d.txt",
		"img": "https://archive.orkl.eu/8ec386e23c6c3f3760e6cc5858ebf5dc737ceb2d.jpg"
	}
}