School messaging app apologizes for ‘inappropriate image’ sent after cyberattack

A popular messaging application used by school districts across the U.S. was forced to apologize on Wednesday night after parents said an inappropriate photo was sent out. 

According to the company — Seesaw — the app is used by 10 million teachers, students and parents across the U.S.

But on Wednesday night, Seesaw released a statement saying it has suffered a credential stuffing attack that allowed a malicious actor to send out an explicit message using their service. Credential stuffing is when hackers use stolen email and password sets to gain access to accounts. 

The company initially shut down its messaging service on Wednesday night to investigate the incident and later reported that “specific accounts were compromised by an outside actor” when people reported that an “inappropriate image” was being sent out to parents.

Seesaw officials said they removed the image link from any messages that reference it and reset the passwords of compromised accounts. 

Early on Thursday morning, the company re-enabled the messaging feature but then reported that some of its users may still be able to see the images through the link that was sent out. They shut down the service again before releasing two lengthy statements. 

The company said the attack was the result of a “coordinated attempt to guess user account passwords.”

“Late on September 13th, Seesaw was subjected to a coordinated ‘credential stuffing’ attack. Seesaw was not compromised; however, isolated individual user accounts were compromised and used to send an inappropriate message,” the company said. 

“Widely available compromised emails/passwords that were reused across services were used to gain unauthorized access to Seesaw accounts. We have no evidence to suggest this attacker performed additional actions or accessed data in Seesaw beyond logging in and sending a message from these compromised accounts.”

The company did not respond to requests for comment about how many accounts were compromised. 

Seesaw said it coordinated with Bit.ly to disable the link that had the image but implored users to use distinctive passwords with the platform. 

It also plans to scan databases of known compromised passwords and forcibly reset the passwords of users who may have re-used passwords “as a proactive additional security measure.”

One Florida parent shared a screenshot of the image from his wife’s account with NBC News and Vice. The image — known pejoratively as "goatse" — is a longtime shock photo shared on internet forums.

Two schools in New York and Illinois posted notices on their website telling parents not to open the link while others publicized alerts telling parents to immediately delete the message. 

"Troy CSD is aware of issues with the Seesaw app. Some parents may have received unauthorized messages which may also contain inappropriate photos or links. Please do not read or click any links until Seesaw has resolved the issue," one New York school said on Facebook.

A subreddit for teachers had dozens of comments from schools across the country.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.