A messaging app for parents and teachers said Wednesday that it was hacked after some parents said they had received messages with an explicit photo that is infamous on the internet.
School districts in Illinois, New York, Oklahoma and Texas all said Wednesday that the photo was sent through the app, Seesaw, to parents and teachers in private chats.
Seesaw, which, according to its website, is used by 10 million teachers, students and family members, declined to say how many users were affected.
In an emailed statement, its vice president of marketing, Sunniya Saleem, said that “specific user accounts were compromised by an outside actor” and that “we are taking this extremely seriously.”
“Our team continues to monitor the situation to ensure we prevent further spread of these images from being sent or seen by any Seesaw users,” she said.
In a follow-up email, the company said the hacker or hackers didn't gain administrative access to Seesaw but instead breached individual user accounts by a so-called credential stuffing attack. In such an attack, hackers look through previous data breaches to identify combinations of usernames and passwords. Cybersecurity experts recommend not reusing the same password across multiple sites specifically to avoid credential stuffing attacks.
The photo was sent to some parents and teachers as links to bitly, a popular link-shortening service that obscures actual web addresses. For some users, the app automatically depicted the image in the chat.
Chris Krampert, whose children are in elementary school in Florida, provided NBC News with a screengrab showing his wife’s account sending the image, which automatically displayed in the chat, to horrified parents. The image was an infamous meme photo of a man engaged in an explicit act.
Some school districts made announcements warning parents not to open links sent through Seesaw. Visitors to the website for Keeneyville Elementary School District 20 in Hanover Park, Illinois, were greeted Wednesday with a pop-up warning.
“Please do not open any ‘bitly’ links that are sent to you this morning in a Seesaw message,” it says. “It may appear as a message was sent to you from another school family, but please delete the message immediately, without opening as inappropriate content was sent.”
Castleton Elementary School, in Castleton-on-Hudson, New York, announced on its website that it had also seen evidence of the security breach. “In the meantime, if you need to speak with your student’s teacher please send them an email,” it said.