School messaging app apologizes for ‘inappropriate image’ sent after cyberattack

A popular messaging application used by school districts across the U.S. was forced to apologize on Wednesday night after parents said an inappropriate photo was sent out. 

According to the company — Seesaw — the app is used by 10 million teachers, students and parents across the U.S.

But on Wednesday night, Seesaw released a statement saying it has suffered a credential stuffing attack that allowed a malicious actor to send out an explicit message using their service. Credential stuffing is when hackers use stolen email and password sets to gain access to accounts. 

The company initially shut down its messaging service on Wednesday night to investigate the incident and later reported that “specific accounts were compromised by an outside actor” when people reported that an “inappropriate image” was being sent out to parents.

@Seesaw Teachers at my school had their Seesaw accounts hacked over night. A VERY inappropriate image was sent to parents! We have tried to contact your help desk and received a message that y’all will get back to us in 2 days! Can we get help IMMEDIATELY?

— Alyssa Toomes (@AlyssaToomes) September 14, 2022

Anyone else experience a hack in @Seesaw messages this morning? I've emailed their support, but just wondering if it's just us? #seesaw #edtech

— Anne Reardon (@areardon) September 14, 2022

Hey @Seesaw, I’m really curious how your security was compromised so my wife’s hacked account posted pornographic images to the entire 1st grade class.

— Krampert (@krampert) September 14, 2022

Seesaw officials said they removed the image link from any messages that reference it and reset the passwords of compromised accounts. 

Early on Thursday morning, the company re-enabled the messaging feature but then reported that some of its users may still be able to see the images through the link that was sent out. They shut down the service again before releasing two lengthy statements. 

The company said the attack was the result of a “coordinated attempt to guess user account passwords.”

“Late on September 13th, Seesaw was subjected to a coordinated ‘credential stuffing’ attack. Seesaw was not compromised; however, isolated individual user accounts were compromised and used to send an inappropriate message,” the company said. 

“Widely available compromised emails/passwords that were reused across services were used to gain unauthorized access to Seesaw accounts. We have no evidence to suggest this attacker performed additional actions or accessed data in Seesaw beyond logging in and sending a message from these compromised accounts.”

The company did not respond to requests for comment about how many accounts were compromised. 

A note to the Seesaw Community: pic.twitter.com/TALjNpgWgT

— Seesaw (@Seesaw) September 15, 2022

Seesaw said it coordinated with Bit.ly to disable the link that had the image but implored users to use distinctive passwords with the platform. 

It also plans to scan databases of known compromised passwords and forcibly reset the passwords of users who may have re-used passwords “as a proactive additional security measure.”

One Florida parent shared a screenshot of the image from his wife’s account with NBC News and Vice. The image — known pejoratively as "goatse" — is a longtime shock photo shared on internet forums.

Two schools in New York and Illinois posted notices on their website telling parents not to open the link while others publicized alerts telling parents to immediately delete the message. 

"Troy CSD is aware of issues with the Seesaw app. Some parents may have received unauthorized messages which may also contain inappropriate photos or links. Please do not read or click any links until Seesaw has resolved the issue," one New York school said on Facebook.

A subreddit for teachers had dozens of comments from schools across the country.