Infinite Campus hack (updated)

Pranav Iyer

Story by Pranav Iyer and Pranav Jandhyala

For more than a day, Infinite Campus, a district system that students use in order to access their unofficial transcripts, was shut down immediately following the discovery that an MVHS student accessed information from other students’ portals. The site became available again only after, at the prompting of administration, students changed their default password s from their birthday to a more secure combination.

El Estoque interviewed several sources, some who chose to remain anonymous for the purpose of ensuring their safety.

“The moment I heard someone recite to me several people’s cumulative GPAs, as well as mine, exactly to the point, I knew something fishy was going on,” said a student whose Infinite Campus account was infiltrated.

Most people would believe that it would take a computer genius to hack this highly secure system. However, one MVHS student found a way to look at the GPAs of many others through Infinite Campus on accident.

How it happened

“One day in Lit class, I tried to share a document with someone else, and I found out that I could access every FUHSD email through Google Drive on the FUHSD domain,” the perpetrator said. “If you attempt to share a document with someone on Drive if you are logged into your Infinite Campus accounts, their FUHSD email, which is their Infinite Campus username, becomes visible. From there I [figured out] that everyone’s default password was their birthday. So I became curious about other people’s grades and decided to log into their Infinite Campus accounts.”

On Sept. 12, several MVHS students were talking after school when the student who initiated the revealing of others’ private information approached them.

“He started sharing the grades of a lot of students and we eventually realized how he was able to get everyone’s information,” one of them said, “Why would you make someone’s password their birthday? It is so easy to access.”

A student’s Infinite Campus portal contains vaccination and other medical information, academic records, house address, parents’ emails, and even lunch line purchases.Untitled Infographic

“Basically whatever information the district collects about you is visible to the person who is in your account,” an anonymous source said. “The school screwed up by making all this information so easy to access.”

According to student sources, an MVHS student found a way to gain access to the personal information of many students in the FUHSD, or at least those who were friends with the student on Facebook. They said that although they did not take part in the acquisition of such information, they were “witnesses” to said crimes.

As sources went on to mention, the perpetrator created a Facebook chat with them where he released the grades and other confidential information of many MVHS students. The chat became a medium in which they could delve into the private lives of these individuals, finding surprises here and there, contradictions between students’ personality and grades that they found interesting and then discussing them. In addition, he made little attempt to conceal what they were doing from his classmates.

Junior Anindit Gopalakrishnan was a victim of the hack.

“One guy came up to me and said that [name removed] knows your grades and he is yelling them out in the library,” Gopalakrishnan said.

Gopalakrishnan went straight to the office when he heard that his privacy had been violated.

“I was mad because I know that he was doing this for other people too, but I was not mad at him directly. I was mad that he was able to have access to my account,” Gopalakrishnan said.

When Gopalakrishnan went to the office, he told administration that someone had access to his Infinite Campus account and that he probably also had access to the accounts of many other students. However, he admitted that someone had just told him that this was happening and that he had no concrete proof. They asked him who had told him this information, but in an attempt to protect the student who had informed him, he said that he would handle it on his own.

Before students were required to change their FUHSD account password, few cared about changing it because they rarely used the account. Even if they wanted to change it, they had to do so on school computers, which seemed a hassle to many.

“It was somewhat difficult to change your password before all this, so almost no one did,” Gopalakrishnan said.

Hours after Gopalkrishnan went to the office for the first time, he discovered the details about what had happened.

“People started telling me more about it. Apparently, the student and a few other students hacked into a database of student IDs, so they could get into anyone’s account if they could find their birthday,” he said.

Even though he did not want the office to worry about it, they had already told the district and called him in on Sept. 15 for a second time, demanding the names of those involved.

“They said that if they found out stuff and I did not tell them, I would get in a lot of trouble,” said Gopalakrishnan said., “The guy kept telling me that I had to start saying names, and I said as much as I could.”

The same day, some of the students involved were called in and the original instigator was suspended for the rest of the week. However, a suspension is a very lenient punishment considering the fact that in many similar cases, the culprits were faced with criminal charges.

In an interview with Assistant Principal Leslie Robledo, our staff summarized to her what we heard from our sources to see if she could approve it as fact. This was her response.

“I don’t know what your talking about,” Robledo said. “I don’t know who your sources are.”

She also said that she was only notified that the system was down, some changes had to made to it, and that students had to change their passwords.

What to take away from it

Some sources said that the reason only one person was suspended was because the rest of them did not log into any student’s account and that they only shared and discussed the private information that was revealed to them. However, the original culprit asserts that more than one student was involved in the illicit act of receiving information from a student’s account.

“I can tell you that I was not the only person who went into other peoples’ accounts and saw their grades. I was just the only one who admitted it,” the original perpetrator said.

According to Gopalakrishnan, it is impossible that anyone acquired his correct birthday from Facebook because his Facebook birthday is false. He also said that he is not close enough to the original hacker for him to know his birthday. So it is likely that someone else who was closer to Gopalakrishnan must have supplied him with the information.

He also noted that to his knowledge, the person alone had released the private information of more than ten people, and he believes that the other students involved did about the same.

In any case, Gopalkrishnan does not believe that it is solely the fault of the student who decided to compromise his private information, but rather the fault of the school that his private information was released.

“I think that it was really stupid that students went into other students’ accounts, but at the same time I think that the whole district is more at fault because they pretty much left the whole database open, and they made it hard for a student to change their password to something besides their birthday. “I don’t think that he or anyone else deserves any significant punishment for this,” Gopalakrishnan said.

What shocks many students, parents, and administration about this incident is how easy it was to hack into the most private information of students. Also, if the instigator had not been so outspoken, students’ privacy could have continued to been violated in secret.

“[We] would have kept going into people’s accounts in secret if I had not been so obvious about it. [We] would have never gotten caught looking at other students’ GPAs,” the original perpetrator said.

* article updated due to administration comment