author photo
By Clare O’Gara
Mon | Oct 21, 2019 | 8:42 AM PDT

We all know what can happen when an innocent game goes too far.

One moment, you're trying to tag your fellow high school students with a water gun during...

...and the next moment, you're hacking into a school data network to locate your targets.

This happened in the middle of National Cybersecurity Awareness Month.

Students hack their school to win 'Assassin'

Thankfully, the game of "Assassin" is far less gruesome than the name implies.

Played by many a high school student, Assassin is essentially a glorified game of tag: students try to tag, or "kill," their classmates by shooting them with a water gun or something similar.

Speaking from experience, the game can get intense. And it can last months.

But some Philadelphia area students took it to a whole new level. 

According to the Downingtown Area School District (DASD), a group of students hacked into school accounts to uncover more information about their Assassin targets:

" has been determined that through illicit means, the perpetrators obtained teacher-level access to DASD accounts. Using unethical coding methods, they were able to exploit DASD systems and extract student profile information for the entirety of DASD's student population.

The perpetrators claim the information was collected to obtain student addresses to gain a competitive advantage for the senior [Assassin] water games, a game that students play outside of the school district."

The school also revealed what types of data the students gained access to, and the list is troubling:

  • Student IDs
  • Student directory information
  • Gender and ethnicity information
  • GPA and SAT scores
  • Household and non-household relationship information

The district named the actual system that was accessed:

"Downingtown Area School District (DASD) became aware of a potential attack on DASD high school student Naviance accounts. Naviance is a college and career resource website that assists students in aligning their strengths and interests to their post-secondary goals."

Second Naviance cyberattack by high schoolers in a month

Naviance, by the way, was also recently hacked by a Maryland high school student. 

The Montgomery County School District issued the following breach notification:

"On Thursday, October 3, 2019 between 8:10PM and 10:14PM, an unauthorized user performed a sequential brute force attack against Wheaton High School's Naviance platform in order to access
user accounts. The unauthorized user attempted many username and password combinations, eventually gaining access to 1,344 accounts."

We'd be curious to hear if you have any theories on how so many high school students are able to compromise this service. Do you see any clues here?

What will happen to the students?

In Philadelphia, the school district is talking tough. Some kids may wonder if this Assassin strategy was worth it.

"Cyber hacking is a federal crime and DASD is working with the proper authorities to determine the appropriate discipline and legal ramifications."

And the district superintendent, Emilie Lonardi, expressed her concern for the situation:

"DASD takes the responsibility to gather and store student and family information seriously. Modifications have and will continue to be made to our internal practices and the district plans to conduct internal training beyond the normal, ongoing training."

Also, the district is requiring all employees to change their credentials out of what it calls an abundance of caution.

Check out the complete district statement here.