社区黑料

Get stories like this delivered straight to your inbox. Sign up for 社区黑料 Newsletter

In July, a group of teenagers hacked an educational technology company that serves thousands of school districts across the United States. Two months later, they told the company, their peers and policymakers how they did it and why it was a good thing for them, the company and our country.

No, you鈥檙e not experiencing d茅j脿 vu. No, we’re not talking about some recent cyber incidents caused by teenagers, such as the PowerSchool data breach by a 19-year-old hacker from Massachusetts in 2024 who accessed sensitive data of more than 60 million students and 10 million teachers.

Watching PowerSchool make a comeback from such an incident made it clear that organizations can no longer afford to wait for proof that weaknesses exist. Continuous testing and engaging diverse perspectives are the best ways to stay ahead. That鈥檚 why this effort that began in July was intentionally designed to make students part of the solution, not the problem 鈥� to transform the same curiosity and skill that might lead to hacking toward cyber defense. 

After all, kids have been hacking computers, systems and schools since they鈥檝e existed 鈥� and they鈥檒l keep doing it. The difference now is that teenage defenders can help protect against teenage attackers.

The large-scale cyber incidents by teenagers emphasize three interconnected problems facing schools and our broader society:

First, our schools are dependent on a few key technology vendors that, if hacked, could shut down school districts across the country or lead to massive breaches of sensitive student, teacher and family data.

Second, teenage hackers who are fluent English-speakers 鈥� in loosely affiliated groups that go by names like Scattered Spider, Shiny Hunters, and Lapsus 鈥� have been behind some of the biggest cyber incidents in the past few years. They鈥檝e hacked organizations from Caesars casinos to Snowflake to Salesloft. Even giants like Google and Microsoft haven鈥檛 been spared. 

Some cyber experts have begun calling these young hackers Advanced Persistent Teenagers (or APTeens), a play on Advanced Persistent Threats (or APTs), the term used to describe sophisticated nation-state hacking groups from countries like China, Russia, Iran and North Korea. 

Ultimately, our country faces a cyber workforce challenge that most strongly impacts 鈥渢arget rich, cyber poor鈥� sectors like schools, state and local governments, and small businesses that lack the funding and capacity to defend themselves against cyber threats.

With a different approach, progress can be made on all three problems 鈥� insecure tech, teenage hackers and the cyber workforce challenge 鈥� by creating an alternative pathway for teenage hackers. To make this work, edtech companies, hackers, policymakers, higher education and even high schools must provide a pathway that builds the skills the workforce needs. That includes offering the opportunity to receive immediate payment for hacking and bolstering the cybersecurity of key technologies society relies on daily.

With this in mind, in July, joined the and the to flip the APTeen challenge on its head. The goal was to promote hacking for good to secure our schools. The EdProtect Cybersecurity Research Symposium brought together teenage hackers, professional security researchers, and Skyward, a widely used edtech product, for a two-week live hacking event. 

The teenagers, college students from around the country, received support and training as they worked to find and report bugs. We know people learn best through hands-on experiences where novices can work alongside seasoned professionals and mentors, who were once teenagers too.

While live hacking events and bug bounty programs 鈥� where companies pay good-faith security researchers to find and share software bugs that can be used to hack their systems 鈥� are not new, they are rare in 鈥渢arget rich, cyber poor鈥� sectors like education. 

Since the nation鈥檚 14,000 school districts rely on the same few software vendors for their critical infrastructure, efforts like this to strengthen the cybersecurity of key vendors can have a dramatic impact for millions of students, families and teachers across the country. Furthermore, these endeavors shift the burden for managing cyber risk to the companies that are best positioned to address it.

Did you use this article in your work?

We鈥檇 love to hear how 社区黑料鈥檚 reporting is helping educators, researchers, and policymakers.