How the NRMP was “hacked”

While I was busy stressing out over where I will match on Friday, I received an email from the NRMP this afternoon, the organization responsible for running the match. It read: “Earlier today the NRMP received notice that some Main Residency Match applicants were able to view their match results before the results were released if they right-clicked their Home Page in the Registration, Ranking, and Results (R3)  system.   Immediately upon learning of this situation, we took steps to assure that this can no longer occur.  We are investigating to determine how such premature access was possible.”

My investigative journalism training kicked into high gear as I turned to the Internet to find some answers. How was this possible? How many people found out? And most importantly, how did I miss it?!

The answer was easy to find. On Monday March 17 (“Match Monday”) at 9:08 PM, an anonymous user named “nVictus” posted the following message on a student doctor network forum:


As you can imagine, this created QUITE a stir, as medical students around the country have been waiting, stressed out of their minds, about where they will be assigned to go to residency for the next 4-7 years. A flurry of online activity ensued, as medical students already pushed to the brink took to their browser’s source codes to figure out their futures. Apparently the programmers “preloaded” the match homepage source code with the information of where people match, so that once the magic time hits on Friday, they can easily change everyone’s NRMP homepages to reveal the new result. What they didn’t realize? That there are medical students out there who are combing every detail of the site to figure out anything they can ahead of time. Several took it upon themselves to poll all of their friends to assess the accuracy of this method.


Similarly the same trick was posted on Reddit, multiple email lists, and another online thread for international medical graduates.


Much to everyone’s dismay, an applicant ended up posting about this little trick on the NRMP facebook page, resulting in the NRMP taking down their website for a few hours to fix this little problem. People are not happy, and a couple posts on the forums even reveal the name and Facebook page of the student who “tattled.” I sincerely hope he’s not getting too much negative attention from his amped up colleagues right now.

After the NRMP site came back up, medical students banded together to figure out how to access cached versions of their browser’s history. Others took to Facebook and even (this is crazy…) to create a petition to release the residency match results early.



So far the petition has 22 supporters, with comments such as “I want to plan my life” and “For one, participants that know their Match results now have almost a week’s head start on the housing markets in the areas of their residency programs while the rest of us are forced to continue to wait for no legitimate reason.”

I personally find this whole drama entertaining, as I imagine the original poster of the trick spending hours playing around with the website before stumbling upon the source code. A lot of applicants voiced concern over the possibility of more serious security breaches that could reveal our SSN’s and other personal information, but honestly, I think hackers have way bigger targets to chase than a bunch of debt ridden medical school students who are now even more broke after applying to residency. Just my two cents.

Good luck to everyone on Friday! I can’t wait :)

About these ads

7 responses to “How the NRMP was “hacked”

  1. The NRMP wasn’t hacked. The source code is what is sent to your computer when you access a website; for example, when I read your blog post, it sent me the source code. You can do this for any website.

    There is no “hacking” or subversion to access the source code. The NRMP literally sends it to everyone who logs in to the website. Applicants were able to view their results early because of incredibly poor coding quality.

    • Completely agree and that’s why the word “hacked” is in quotation marks. It isn’t so much hacking as just sloppy coding that a med applicant was able to find because he knew where to look.

      • @Joyce Ho I could not agree with you more. As a software developer my opinion of what NRMP IT/developers did was that they were very sloppy indeed,

  2. nVictus wasn’t the first to figure this out and spread the news. I received a message from a student at Touro California at least 3 hours before nVictus made this post.

  3. Glad you posted this :) I’ve been trying to figure out how people got their results early…and definitely curious how many people got to see. Have to say that although I would love to know my result now, I don’t think it’s really worth a huge stir since Friday will come soon enough (but my husband did say that he would have loved to get a jump on housing ha). Good luck on Friday!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s