Students in the Montgomery County Public School System (Maryland) are being forced to reset their passwords for the college prep service Naviance, which suffered a brute-force attack on October 3rd. A brute-force attack occurs when an attacker tries to log in to user accounts using a large list of potential passwords, in the hope of guessing some passwords correctly. Brute-force attacks are effective because many people use weak or guessable passwords and some websites allow an unlimited number of failed attempts to log in. The attack occurred over two hours and affected around 1,350 students, with a majority attending Wheaton High School. Information that was accessed included name, date of birth, highest ACT score, ethnicity, grade level, highest IB score, gender, student ID number, student address, GPA, weighted GPA, home phone number, email address, highest SAT score, mobile phone number, assigned counselor, highest PSAT score, and nickname. The district took quick action and was able to neutralize the threat. The Washington Post obtained a statement from Derek Turner, a spokesman for Montgomery County Schools who expressed that a student who did not attend Wheaton High School wrote a program that allowed for a mass amount of login attempts. Mr. Turner declined to identify the student that they believe is responsible because the student is a minor, but he did add that the responsible party may face criminal charges as well as disciplinary action from the school district. Many questions have been raised as to why no alarms were triggered on Naviance’s side and they have not given a response at this time.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is