A student government election in California has taken a bizarre turn after one of the candidates admitted to hacking fellow students in an effort to fix results.
According to local news site Berkeleyside, the unnamed student at Berkeley High School took advantage of weak passwords and default credentials to get into the email accounts of more than 500 fellow students and cast fraudulent votes for themself and another unsuspecting candidate.
The report notes that this year's student body elections were the first to be held online, with students logging in and casting votes with the Google for Education email address they receive from the Berkeley Unified School District when they enroll in one of the city's schools.
For those of us who graduated in the days before Google's school offerings, students use these accounts to complete assignments, communicate with their peers and teachers, and apparently even vote in school elections.
In the midst of the voting period, the student who oversees the school elections noted unusual voting patterns for two candidates running for student-body president and vice president, respectively. The votes were being cast by students alphabetically, at odd hours, and all at once.
Least you think millennials are any better at infosec than us old heads, it turns out the students at Berkeley High (located in the shadow of the UC Berkeley campus, no less) had by and large been leaving the default login (a combination of "Berkeley" and the student's district ID number) on their Google accounts.
No dice, comrade! Senate floats Russia-busting election lawREAD MORE
With so many students leaving easily guessed passwords on their accounts, the candidates were able to take control of hundreds and cast votes in their favor simply by looking up the student's ID numbers. After the ruse was discovered, the votes were reset and students were allowed to recast their ballots. Not surprisingly, the ballot stuffers did not win this time.
The Berkeley Unified School District did not respond to a request for comment, but hopefully the student passwords were also reset.
While Google for Education does allow for two-factor authentication, the option must be enabled by an administrator, and while most kids these days have smartphones, getting multi-factor set up for an entire school district (Berkeley High School alone has 3,000 students) may not be practical.
Still, the incident should be a warning to students and parents alike to make sure you change your password from the default credentials to something more secure and harder to guess. While the idea of a student hacking an election grabs headlines, in the grand scheme of things there are far worse things that could have been done with these hijacked accounts. ®