High school changes every student’s password to ‘Ch@ngeme!’


Share post:

After a cybersecurity audit mistakenly reset everyone’s password, a high school changed every student’s password to “Ch@ngeme!” giving every student the chance to hack into any other student’s account, according to emails obtained by TechCrunch.

Last week, Oak Park and River Forest (OPRF) High School in Illinois told parents that during a cybersecurity audit, “due to an unexpected vendor error, the system reset every student’s password, preventing students from being able to log in to their Google account.”

“To fix this, we have reset your child’s password to Ch@ngeme! so that they can once again access their Google account. This password change will take place beginning at 4 p.m. today,” the school, which has around 3,000 students, wrote in an email dated June 22. “We strongly suggest that your child update this password to their own unique password as soon as possible.”

Needless to say, giving everyone the same password is not how an organization should force a password reset. The usual procedure is to force log out every user, and then prompt them to change their password the next time they try to log in.

Manning Peterson, the mother of an OPRF student, replied that “this is terribly insecure and you have just invited every single students [sic] accounts to get hacked.”

Peterson said that after this email, she tried to reset her son’s password but it wasn’t possible.

“My son and I were able to log into several of his peers [sic] google accounts, which gave access to all emails, papers, class work— anything saved on google drive (docs sheets and slides),” Peterson said in an email to TechCrunch.

A day later, the school realized the mistake and told parents in an email that the Education Technology Department “will be emailing you a special password process over the weekend that will be unique to your specific student.”

OPRF superintendent Greg Johnson and assistant superintendent/principal Lynda Parker did not respond to multiple requests for comment sent via email.

Do you have information about cybersecurity issues at other schools? Or about cyberattacks against schools? We’d love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.

Source link


Please enter your comment!
Please enter your name here

Related articles

Tesla Autopilot arbitration win could set legal benchmark in auto industry

In a victory for Tesla, a California federal judge ruled over the weekend that a group of...

Max Q: Mining moon water

Hello and welcome back to Max Q! In this issue: Mining water on the moon with Starpath Robotics News from...

Republicans still don’t know how to talk to young voters online

In an appeal to younger voters, Republican presidential candidate Vivek Ramaswamy — who proposed raising the voting...

Ousted Flexport CEO Dave Clark strikes back

Dave Clark, the former Amazon executive who was ousted as CEO of Flexport just a year into...