I was definitely that kid. I remember discovering that my district's web filter had a default password (something like "changethis123"), by watching one substitute with exceptionally poor typing skills. Problem was, substitutes' accounts were disabled frequently, and any one account only really had a lifetime of a week or two, before someone in the IT department realized that 300 devices were connecting to the network with the same credentials.
But the staff lists were public, and I had the default password. So I set up a script to turn the lists of names of teachers, librarians, janitors, etc. into usernames, and then tried to login with all of them. Turns out, most support staff, especially custodians, hadn't changed their passwords. (I'm guessing their jobs didn't involve much computer use). With a list of a couple dozen working accounts, I'd mete out 1 or 2 at a time to my friends, and we had teacher-level access for the rest of our time there. Don't remember using it for much, maybe showing my friends a youtube video during lunch or something.
This demonstrates why forcing people to use E-mail addresses as user IDs is a stupid, stupid policy.