School District Still Using Default Login For Admin Account Surprised To Learn Its Site Has Been Hacked

from the the-password-is-'password'-but-with-a-1 dept

A Texas school district is learning the hard way about website security basics. If you'd like to keep your site from being compromised, the very least you can do is reset the default login. According to a post at Hackforums, the Round Rock Independent School District of Austin, TX was using the following name and password for its admin account. (h/t to Techdirt reader Vidiot)

hacked - idiots used default login/pass



u; admin

p; admin1

ATTENTION PARENTS AND STAFF: REDDIT HAS BEEN RAIDING ALL OF THE WEBSITES IN ROUND ROCK ISD AND POSTING PORNOGRAPHIC IMAGES. PLEASE REFRAIN FROM USING ANY ROUND ROCK ISD WEBSITES UNTIL FURTHER NOTICE. THANKS

"We have a third party managing the site (SharpSchool) and we have instructed them to take their time getting everything back up and running," said JoyLynn Occhiuzzi from the Round Rock ISD. "We want them to pull everything together and protect as much information as possible about how this happened so we can make sure it doesn't happen again."

"It's disappointing that someone would take the time to hack into our websites…"

Many of the pages can't be printed but one did name a group "9gag'' as being behind the "raid" that came from their "mother's basement."

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Once compromised, the hacker(s) dropped sexual terminology, racist statements and a few memes all over the Round Rock ISD site. The "Welcome" splash screen was altered to deliver the following "warning:"Needless to say, this wasn't an official message from the school. Additional text next to the principal's photo noted that Caldwell Heights Elementary was a "Jewish Internet Defense Force (JIDF) World School" and that the school's goal was to "develop strong partnerships" with parents and "touch every child -- especially the littler ones." The "statement" was signed by " moot ."Another page features an apology from the principal ("Sorry for the AIDS") and a copy-pasta spinoff of the Navy SEAL rant meme that takes the memorable posturing and sweary proto-military threats and spins them into a defense of every slighted non-white male ever The district's reaction to this hacking has been particularly hilarious and prone to over-sensitive overstatements,if its hands-off approach to security provided the hole for the hackers to waltz on through.Well, I would assume changing the login and password was at the top of the To Do list. This may not entirely be the district's fault. SharpSchool likely bears some of the blame here, especially if it never bothered to ensure the admin login was something stronger than admin/admin1.Yes, it's "disappointing" that someone would have to try more than a handful of variations of the World's Dumbest Passwords before being granted access to the back end.The site remained down for a few days, replaced with a placeholder image and a somewhat cheery apology. Local police say they will press charges if they manage to find the hacker(s) behind the defacement. The school district has also made statements along the same lines, but finding who's responsible will be a considerably harder than accessing the site without permission.The altered message on the welcome screen pinned the blame on Reddit, but considering its obviously fake origin, it probably shouldn't be trusted.The Houston Chronicle article contains this sentence which strains credulity to its breaking point.Given Reddit's antipathy towards 9gag, this would seem to swing the finger of blame back on the Front Page of the Internet. Of course, the internet is filled with people and groups who hate 9gag, so that's hardly conclusive. The faux signature appended to the principal's photo ("moot") would seem to implicate 4chan, but Not Your Personal Army doesn't really sign its work. And the fact that the actual principal (Barbara Bergman) wasn't doxed and scattered across the internet would seem to indicate that the Internet Hate Machine didn't perform this particular defacement.The details that have been made public indicate a rather amateurish job. There's a lot of namedropping going on, but a school site with an unfortunate login/password combination is hardly the sort of target these "groups" would expend much energy hassling.Considering no real damage was done (other than a few people being offended), perhaps the district should just count its blessings and change the damn password. No data was lost and whatever downtime resulted from the defacement should be borne cost-wise by the third party paid to run the site(s). Prosecuting some low-level vandal for this temporary inconvenience won't prevent anyone from doing this sort of thing in the future. The easiest way to dissuade bored hackers is to put up at least a tiny bit of resistance in the security department -- something a simple login/password change months ago would have ensured.

Filed Under: austin, hacked, passwords, round rock school district, school district