Illinois High School Changes All Students’ Passwords to ‘Ch@ngeme!, then Tells All Parents

A high school in the US state of Illinois made the uninspired decision to assign the same password to every student, essentially giving everyone access to the accounts of their fellow students.

During a cybersecurity audit last week, IT administrators at Oak Park and River Forest (OPRF) High School incurred an error due to a blunder of one of its IT vendors.

“Due to an unexpected vendor error, the system reset every student’s password, preventing students from being able to log in to their Google account,” the school, which has some 3,000 students, told parents in an email on June 22.

But then the school’s IT staff made an even bigger blunder.

“To fix this, we have reset your child’s password to Ch@ngeme! so that they can once again access their Google account,” the school said. “This password change will take place beginning at 4 p.m. today. We strongly suggest that your child update this password to their own unique password as soon as possible.”

OPRF’s system administrators somehow failed to realize that giving everyone the same password essentially gave all students access to their colleagues’ accounts, including Gmail accounts.

Unsurprisingly, at least one parent of a child at OPRF decided to test out this theory, and successfully logged into not one, but several accounts.

“My son and I were able to log into several of his peers [sic] google accounts, which gave access to all emails, papers, class work—anything saved on google drive (docs sheets and slides),” Manning Peterson, the mother of an OPRF student, told TechCrunch in an email.

The school quickly realized the slip up. In a second email the following day, OPRF told parents that the Education Technology Department “will be emailing you a special password process over the weekend that will be unique to your specific student.”

It’s unfortunate that OPRF administrators did such a poor job handling their students’ Google accounts. To the school’s defense, the “vendor error” likely forced its IT people to act faster than they were prepared to.