Strategic OSINT: Finding Out Who Has Access to the Bellingham Public Schools Website

By Jamisen Renoud

May 11th, 2025 (Updated Aug 15th, 2025 because im a goof - See bottom of this page for info)

Note: This is a completely public endpoint. No login or security was bypassed.

While exploring the Bellingham Public Schools website, I discovered it runs on WordPress, which exposes some surprisingly useful API endpoints. By querying /wp-json/wp/v2/users, I could pull a list of registered authors with access to publish content on the site - no login or credentials required.

The Endpoint

This URL revealed the full author list:
https://bellinghamschools.org/wp-json/wp/v2/users, adding ?per_page=100 made my life easier also.

Users Discovered

All job titles sourced from the official Bellingham Public Schools website contact page. Any persons not listed there includes a source if available.

District Site (Updated Aug 15th, 2025)

• Amelia Vader - Grant Writer and Special Projects Manager
• Andrew Forhan - Communications Technician Specialist
• Bill Palmer - Director, Teaching and Learning - Technology Integration
• Caitlin - Unidentified
• Cara Forhan - Executive Administrative Assistant, Human Resources
• Clover Martin - Administrative Assistant, Health Services
• Dana Smith - Assistant Director, Communications
• Gladys Serrano - Administrative Assistant, Teaching and Learning
• Greg Baker - Superintendent
• Heather Steele - Director, Teaching and Learning - Career and Technical Education
• Jacqueline Brawley - Executive Director, Communications and Community Relations
• Janis Farmer - Director, Equity, Diversity and Inclusion
• julie - Unknown
• Lisa Gilchrist - Vice President of Logistics (Former Vice President of Communications) (According to this LinkedIn)
• Lisa Hust - Could not find much, possibly School Public Relations Association or Communications Technician
• Lisa Hust - (duplicate account)
• Margaret Gude - Communications Specialist
• Matthew Mataio Gillis - Culinary Program Supervisor (According to this LinkedIn)
• Sheri ODay - Executive Administrative Assistant to the Superintendent
• localadmin - (suspected admin account)
• test student - (test account)
• test user - (test account)

Users Discovered

Sehome Site

Now I went to look at sehome.bellinghamschools.org, and found these users.

• Amy Hjelt - Former School Counselor at Sehome (According to this LinkedIn)
• Andrew Forhan - Communications Technician Specialist
• Lisa Gilchrist - Vice President of Logistics (Former Vice President of Communications) (According to this LinkedIn)
• Lisa Hust - Could not find much, possibly School Public Relations Association or Communications Technician
• Margaret Gude - Communications Specialist
• Monica Contreras - Administrative Assistant to the Principal
• Nicky Cook-Desler - Library Media Specialist

Why It Matters

Even though no private data was exposed, this tells us who has access, and could be targeted by phishing campaigns.

Updates to This Post

While looking at the District site again, I discovered I missed many users as I didn't think there was more pages to the json. As of Aug 15th, 2025 relative updates have been made to this post such as adding missing users, adding more job titles, correcting incorrect info that these were users with admin access, and re-bumping this post to the top of my homepage.

This post is licensed under the Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0) license.