SkoolBag secure says MOQ, after user creds found in massive dump

MOQ, the ASX-listed firm behind popular school communications tool SkoolBag says its app is secure following the discovery of user credentials in a major dump of emails and passwords earlier this month.

The company today confirmed a “limited number” of user email addresses and encrypted passwords used to login to the platform were among those in the 87GB dump of credentials – dubbed Collection #1 – found on file-upload service MEGA two weeks ago.

Security researcher Troy Hunt, the operator Have I Been Pwned, recently revealed details of Collection #1 which contains 1,160,253,228 unique combinations of email addresses and passwords.

The dump is made up of “many different individual data breaches from literally thousands of different sources,” Hunt wrote.

MOQ today said that its SkoolBag security team “did not find any evidence of use of or unauthorized activity on the SkoolBag platform”.

The SkoolBag app allows schools to communicate with parents with alerts and in-app newsletters. It has more than 3,000 subscriptions and claims to be “Australia’s leading school communication app”.

The company said it did not consider the breach to be an ‘eligible breach’ under the government’s Notifiable Data Breach legislation, which compels companies with an annual turnover of $3 million or more have to disclose information breaches that involve individuals’ personal information.

This is because “there is no evidence to suggest that the breach is likely to result in serious harm to one or more individuals,” MOQ said in its announcement to the ASX this morning.

“This is in part because of the nature of the information breached, the remoteness of the harm to individuals likely to result, and due to the extensive remediation actions undertaken,” MOQ added.

Nevertheless, potentially affected individuals have been notified and additional security measures are being implemented, MOQ said.