School app Seesaw compromised to send shock NSFW image

On Wednesday, parents and teachers reported that student learning platform, Seesaw, had been hacked after some users received an infamous explicit photo known as “goatse” on private chats. Schools from districts in Colorado, Illinois, Kansas, Michigan, New York, Oklahoma, South Dakota, and Texas all experienced similar issues, and began to send out warnings like the one below:

easset upload file69527 236441 e

San Francisco-based Seesaw, which prides itself on having more than 10 million users, declined to comment on how many were affected.

In a news release, Seesaw said it wasn’t hacked but was compromised via “a coordinated ‘credential stuffing’ attack” in which widely available compromised credentials—email address and password combinations—were used to illegally take over Seesaw accounts.

“We have no evidence that the attacker performed additional actions in Seesaw beyond logging in and sending a message from these compromised accounts,” the notification said.

In an update, Seesaw said it has removed the inappropriate link, which is a shortened URL, and undertook other actions to make sure that no one can access the link anymore.

“However, in a few instances, if the message was already loaded in a web browser or one of our apps, the message may have been cached on your device,” it added. “To ensure that no one has access to the inappropriate message, we recommend all everyone *refresh their web browsers and refresh their mobile apps*. On mobile, you can update your device to the latest app version (version 8.1.2, released today) and re-launch Seesaw OR close and re-open the Seesaw app.”

Seesaw has adjusted its detection and blocking feature and is slowly bringing back the messaging feature of the app after it temporarily disabled it as part of sorting out the compromise.

Say ‘no’ to password reuse

The Seesaw incident is a timely example of why it’s important for people not to reuse passwords across different accounts. Often when a breach occurs the stolen credentials are sold on to more cybercriminals who then try these logins on other sites.

To eradicate password reuse forever, get yourself a password manager to create and remember unique, complex passwords. All you need is one very long and very complicated password for the password manager itself—you can combine random words or think of a ridiculous phrase that is unguessable. 

Seesaw endorsed a guideline for creating and managing passwords by CISA (Cybersecurity & Infrastructure Security Agency). Responsible parents, teachers, and guardians would also be wise to heed this.

Stay safe!