CBSE Reports Cyber Attacks on Its Result Portal: How Families Can Verify the Real Thing

The result and revaluation season is the busiest, most anxious stretch of the school calendar, and it is exactly when bad actors go to work. CBSE has now formally complained to the Delhi Police about what it described as a series of cyber attacks against its post-results website, calling them attempts to "hamper the public peace and order and create major inconveniences" and asking for an immediate investigation.

The complaint landed during a high-pressure window. The board had just extended its Class 12 verification and re-evaluation deadline to the night of June 7, 2026, and had received more than 70,000 applications for verification and re-evaluation, as SelfStudys reported. Tens of thousands of families hitting one portal in a few days is precisely the kind of moment an attacker tries to exploit, whether to take the site down or to lure anxious users to a convincing fake.

You cannot do much about the attacks themselves. What you can control is whether your family or your school ever types a roll number into the wrong box. This is a practical guide to doing that safely.

Know the official addresses by heart

The single most effective defence is also the most boring: memorise the real domains and refuse to use anything else. For CBSE, results and post-result services live on the board's own government domains and its official apps. The reliable channels are cbse.gov.in, results.cbse.nic.in, the post-result services portal at cbseit.in, plus DigiLocker and the UMANG app.

Note the pattern. Genuine board addresses end in .gov.in or .nic.in. These are restricted government domains that a random operator cannot register. A "result" site ending in .com, .in, .info, .xyz or anything else is, at best, an unofficial aggregator and, at worst, a trap. When the board itself reminds families to "only trust cbse.gov.in and results.cbse.nic.in", it is making exactly this point.

How fake result and revaluation sites work

The scams that cluster around result season are not sophisticated, which is why they keep working. The common patterns are worth naming so you can spot them.

• Lookalike domains. A site that copies the board's logo and layout but sits on a slightly-off web address, cbse-results-online, cbseresult-check, and similar. The design is borrowed; the domain gives it away.
• Pay-to-see-your-result pages. Real board results are free. Any page asking for a payment to "unlock", "download faster" or "check instantly" is fraudulent. So is any "revaluation" service that is not the board's own portal.
• Credential harvesting. Fake pages ask for far more than a roll number, full date of birth, parent phone numbers, OTPs, even passwords. The official flow needs only the specific identifiers printed on the admit card.
• WhatsApp and SMS links. Messages promising "early results" or "leaked marks" with a link. Boards do not leak results through forwards. The link is the product, not the result.

A two-minute verification habit

Teach this routine to your child and use it yourself. It takes longer to describe than to do.

• Type the address, do not click it. Reach the result portal by typing the official domain into the browser yourself, or through DigiLocker or UMANG. Avoid links sent over chat, email or search ads, which is where lookalikes hide.
• Check the domain ending before you enter anything. Confirm it ends in .gov.in or .nic.in. If it does not, close the tab.
• Refuse to pay and refuse to over-share. No payment, no OTP, no password. If a page asks, it is fake.
• If the official site is slow, wait, do not wander. During an attack or a traffic spike the real portal may load slowly or briefly fail. That is frustrating, but a slow government site is safer than a fast fake. Use DigiLocker as the official backup rather than searching for an alternative.

What schools should do

Schools are trusted messengers, and during result season parents take their cues from the school office. A few small actions make a large difference.

First, publish the official links yourself, on the school website, the parent app, the class group, so families have a verified source and do not go hunting. Second, brief teachers and the front desk to repeat the .gov.in and .nic.in rule whenever a parent calls in a panic. Third, when you forward a board notice, send the link to the original government page rather than a screenshot, so parents can confirm the source for themselves. A school that models careful verification teaches a digital-safety habit far more durable than any single result.

The wider point

Cyber attacks on a board portal sound like a technical story, but the people exposed are families. The board will work with the police on the attacks; what protects your child's data in the meantime is a small set of habits, knowing the real address, distrusting links, never paying, never sharing an OTP. Those habits outlast this result season. The same logic protects scholarship portals, admission sites and every other place a child's identity meets the internet. Result week is simply the moment it matters most.