After a cybersecurity audit mistakenly reset everyone’s password, a high school changed every student’s password to “Ch@ngeme!” giving every student the chance to hack into any other student’s account, according to emails obtained by TechCrunch.
Last week, Oak Park and River Forest (OPRF) High School in Illinois told parents that during a cybersecurity audit, “due to an unexpected vendor error, the system reset every student’s password, preventing students from being able to log in to their Google account.”
“To fix this, we have reset your child’s password to Ch@ngeme! so that they can once again access their Google account. This password change will take place beginning at 4 p.m. today,” the school, which has around 3,000 students, wrote in an email dated June 22. “We strongly suggest that your child update this password to their own unique password as soon as possible.”
Needless to say, giving everyone the same password is not how an organization should force a password reset. The usual procedure is to force log out every user, and then prompt them to change their password the next time they try to log in.
Manning Peterson, the mother of an OPRF student, replied that “this is terribly insecure and you have just invited every single students [sic] accounts to get hacked.”
Peterson said that after this email, she tried to reset her son’s password but it wasn’t possible.
“My son and I were able to log into several of his peers [sic] google accounts, which gave access to all emails, papers, class work—anything saved on google drive (docs sheets and slides),” Peterson said in an email to TechCrunch.
A day later, the school realized the mistake and told parents in an email that the Education Technology Department “will be emailing you a special password process over the weekend that will be unique to your specific student.”
OPRF superintendent Greg Johnson and assistant superintendent/principal Lynda Parker did not respond to multiple requests for comment sent via email.
Do you have information about cybersecurity issues at other schools? Or about cyberattacks against schools? We’d love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.