[Update: Seesaw told Ars that “less than 0.5 percent of Seesaw users were affected. Seesaw blocked the attack swiftly to prevent the message from being distributed widely.” Although it “can’t discuss the specifics of additional steps” taken to enhance security so far, some of the “additional mitigation steps to prevent an attack from achieving this scale in the future” include “refinements to our rate limiting, alerting, blocking, content detection, and login systems.”]
Original story: A popular parent-teacher messaging app called Seesaw was hacked this week, resulting in families across the US receiving a Bit.ly link displaying one of the most widely shared shock images to ever befoul the Internet.
Vice posted a blurred screenshot of the text message that some parents received, confirming that the inappropriate image shared through Seesaw was Goatse, an explicit closeup image of a man spreading his anus. Vice noted that over the years, the image has mostly been scrubbed from the Internet. However, for parents preparing to tuck in their first graders this week, its sudden resurfacing revived its original shock value from the Internet’s earliest days.
In the screenshot, one parent’s response was just a stunned “Um ???”
Seesaw is used by 10 million teachers in the US, and so far, the company has declined to specify how many accounts were impacted, NBC News reported Wednesday. NBC and Vice reporting confirmed that the issue was widespread, though. Reports showed that the inappropriate image was sent to families in school districts in Illinois, New York, Oklahoma, Texas, Colorado, Kansas, Minnesota, Michigan, and South Dakota. Some schools were so concerned that they updated their websites with pop-up windows and alerts to notify parents, urging them to avoid using the app and instead email teachers until the issue could be resolved.
Seesaw became aware of the attack on Tuesday evening and immediately shut down the messaging feature to investigate. Eventually, Seesaw found that the issue was not due to a data breach of Seesaw users but was instead a “credential stuffing” attack. That occurs when hackers mine previous data breaches to identify information that can be used to compromise individual accounts any time people reuse username and password combinations across multiple services. These attacks are why it’s recommended to never duplicate passwords, and Seesaw echoed that advice to parents.
“Seesaw was not compromised; however, isolated individual user accounts were compromised and used to send an inappropriate message,” a Seesaw spokesperson told Ars. “We have no evidence to suggest this attacker performed any additional actions or accessed other data in Seesaw beyond logging in and sending a message from these compromised accounts.”
How did Seesaw respond?
Once Seesaw received reports from users, the app began investigating and posting user updates as new information became available. To remedy the issue, Seesaw removed the image from all messages, temporarily disabled the messaging feature to prevent it from being shared further, reset passwords for all affected accounts, and notified account holders by email of the hack.
After that, Seesaw reached out to Bit.ly to block the link and promised users that the app adjusted its “detection and blocking rules to ensure similar attacks are prevented in the future.” (Seesaw declined to specify to Ars what updates were made.)
Moving forward, Seesaw has promised to put in more mitigation measures and plans to scan databases of “known compromised passwords” to proactively reset passwords of any users who weren’t impacted by the hack but could be vulnerable to future hacks.
“We’re deeply distressed by the impact on our community by these appalling actions,” Seesaw told Vice.
For some Seesaw users, the messaging feature has since been reactivated, but others are still waiting to regain access.
“Our team continues to monitor the situation and are now slowly reenabling Messages,” Seesaw told Ars.