Imagine discovering that 62,488,628 student records were stolen — not through some exotic zero‑day exploit, but because an attacker used a stolen password to stroll through a customer support portal that didn’t even have multi‑factor authentication.
That’s exactly what happened when the PowerSchool breach unfolded in late 2024, exposing the personal data of nearly 9.5 million teachers across 6,505 school districts, too.
It gets worse. In the UK, a staggering 97% of higher education institutions suffered a cybersecurity breach or attack last year — and every single one faced phishing, the highest rate of any sector surveyed, according to the government’s Cyber Security Breaches Survey 2024.
While headlines love to shout about state‑sponsored hacking rings and zero‑day chains, the truth is quieter and far more dangerous: most learning and development stacks are riddled with credential sprawl — shared logins, forgotten course accounts, and integrations that nobody tracks.
This article exposes those hidden gaps, explains why they’re a ticking time bomb, and hands you a practical audit framework you can start using today to stop a breach before it becomes your headline.
The Attack Surface You’re Ignoring: Your Learning Stack
Your team’s learning stack is the constellation of tools everybody touches daily: a learning management system like Canvas, Blackboard, or Moodle; course marketplaces such as Coursera or Udemy for Business; video‑conferencing platforms; content libraries; AI‑powered assistants; and a dozen third‑party plugins and integrations that bridge them all. It’s the digital backbone of upskilling, onboarding, and compliance training.
And it’s exploding. A recent analysis from Talented Learning found that 72% of organisations have already deployed a digital learning platform, and BetterCloud reports that the average company now juggles 106 SaaS applications.
This sprawl isn’t accidental — during the pandemic, the number of new apps added per month jumped, and it never dropped back to pre‑pandemic levels, according to data from Torii. In higher education specifically, 94% of professionals have used AI tools for work in the past six months, yet only 54% know their institution’s AI policies — a classic sign of tech sprawl outpacing governance.
Why does this matter? Because each of those tools demands its own admin accounts, instructor seats, or team logins. The default move? Share one set of credentials across the whole department. Multiply that by dozens of apps, and you’ve built an attack surface so wide nobody’s even trying to map it.
Why Credential Sprawl Is a Ticking Time Bomb
Sharing one password for a single platform might seem harmless — after all, it’s just a course library, right? But the numbers tell a much scarier story. According to Push Security, 73% of confirmed identity‑based breaches in 2024 started with compromised credentials. That’s not abstract: when infostealers grab your LMS login from a personal device, they’re not just unlocking one course — they’re testing that same password against your email, your HR system, your financial dashboard.
And reuse is rampant. A Security Magazine survey found that 78% of people reuse passwords, while research from Keeper Security shows employees have shared work passwords over text or email. You’re not just risking a single account — you’re risking every system that password can unlock.
Meanwhile, shadow IT keeps growing: 41% of employees are already acquiring or creating technology that IT doesn’t know about, a figure Gartner expects to hit 75% by 2027, as reported by Auvik. It also highlights that 55% of companies faced a SaaS security incident in the past two years.
When your learning stack sits on a foundation of shared, reused, and unmanaged credentials, you’re not defending a single door — you’ve left every window open, too.
Real-World Wreckage: When Stolen Credentials Unlock Everything
The PowerSchool breach is the poster child for this nightmare. Hackers used stolen credentials to access a customer support portal that lacked MFA, then roamed the system for 11 days before anyone noticed. The fallout? 62,488,628 student records and 9.5 million teacher records spread across thousands of districts (BleepingComputer). All because a single password gave away the keys.
PowerSchool isn’t unique. In the 2024 Snowflake attack, criminals used credentials stolen by infostealers — some dating back to 2020 — to compromise 165 organizations. Those accounts had no MFA, so a valid username and password alone were enough.
Push Security notes that this wave alone affected roughly hundreds of millions of victims in just one quarter. And the cost of such breaches? IBM’s data shows the global average hit $4.88 million in 2024.
In education, the danger is even sharper. The same UK government survey found that 27% of higher education institutions suffered unauthorized access by staff and 20% by outsiders — both wildly above the 1% rate for average businesses.
When a single shared LMS login gets compromised, the blast radius can cover everything from student records to payroll. The lesson is brutal: credential sprawl isn’t a theoretical risk; it’s the common thread running through the worst breaches.
A Practical Audit Framework to Close the Gaps
Ready to stop treating your learning stack like a sieve? Here’s a five‑step audit you can run this week.
Step 1: Map every piece of your learning stack
List every platform your team touches — LMS, course libraries, video tools, assessment software, AI add‑ons. For each, ask: who has access, and are any logins shared? Auvik reports that this inventory will almost certainly uncover surprises.
Step 2: Kill password reuse and sharing
Replace shared logins with individual, unique credentials. With 78% of people reusing passwords (Security Magazine), the “one password to rule them all” habit has to go. Ban sharing via text or email — a practice employees admit to — and stop the sticky‑note parade.
Step 3: Enforce multi‑factor authentication everywhere
MFA blocks 99.9% of automated attacks even if a password is stolen, as highlighted by research from Datafloq. PowerSchool and Snowflake both exploded because accounts that could have been protected by MFA were left wide open. If a platform doesn’t support MFA, question whether it belongs in your stack at all.
Step 4: Make offboarding airtight
Revoke every learning‑app access the moment someone departs. BetterCloud found that an automated, verifiable deprovisioning process isn’t a nice‑to‑have — it’s survival.
Step 5: Deploy a business‑grade password manager that was built for teams
This is where a dedicated password manager can help transform everything. It uses zero‑knowledge, end‑to‑end encryption (256‑bit AES‑GCM) along with built‑in 2FA, email alias generation, dark‑web monitoring, so you no longer need to text a password or scribble it on a note, and you’ll have full visibility into who can access what.
Caveats & Counterpoints
No single tool is a silver bullet. A weak master password or a compromised admin account can still open the door, and getting an entire team to adopt new habits takes leadership buy‑in, not just software.
MFA isn’t flawless either — SIM swapping and push fatigue exist — but it remains the strongest first defence we’ve got.
And while enterprise‑grade password managers can feel expensive for small L&D teams, the price of inaction is far higher.
Closing the Gaps
Credential sprawl in your daily learning stack is a vulnerability most organisations have never formally assessed — yet it’s the common backdoor behind some of the biggest education breaches in history. Shared passwords, shadow IT, weak offboarding, and a lack of MFA add up to an open invitation for attackers.
The good news? A straightforward audit and a commitment to team‑wide password hygiene can slam that door shut. Map your stack, kill the reuse habit, enforce MFA, clean up offboarding, and put a purpose‑built password manager at the center.
Start the audit today, and turn your learning stack from a hidden liability into the secure engine it was meant to be.
