How does a precautionary security measure turn into possible cybersecurity nightmare? Just ask Oak Park and River Forest High School in Illinois.

A cybersecurity audit was being conducted at the high school, and rather than helping to further protect the school, it unintentionally made their students a target to not only to cybercriminals, but to other each other.

During the audit, the student passwords were mistakenly reset to “Ch@ngeme!”. Not only did this leave students at the High School open to outside security threats, but it also left the door open for students to hack in to each other’s accounts.

In a June 22 email that was sent to parents, it was explained that “due to an unexpected vendor error, the system reset every student’s password, preventing students from being able to log in to their Google account.”

The email continued that “to fix this, we have reset your child’s password to Ch@ngeme! so that they can once again access their Google account. This password change will take place beginning at 4 p.m. today. We strongly suggest that your child update this password to their own unique password as soon as possible.”

Changing every student’s password to the same thing, and then notifying them of this, is a wildly irresponsible way to handle a situation where a password reset is required. Rather, school officials should have opted to force log out every user, and then prompt them to conduct a password change before their next log in.

Manning Peterson, a mother of one of the student’s at OPRF replied to the email by saying, “this is terribly insecure and you have just invited every single students [sic] accounts to get hacked.”

Additionally, after reading the email from the school, Peterson said they attempted to change her son’s password but was unable to.

“My son and I were able to log into several of his peers [sic] google accounts, which gave access to all emails, papers, class work – anything saved on google drives (docs sheets and slides),” Peters told TechCrunch.

The next day, the school sent another email to parents noting that the Education Technology Department “will be emailing you a special password process over the weekend that will be unique to your specific student.”

It’s bad enough when a school is hacked by bad actors, but when the school itself is the culprit? It might be time for a rework of their security policies.

Story via TechCrunch