Cyber Incident Victim: Seesaw
Date:
Sep 2022
Location:
United States of America
Summary
A popular school messaging application experienced a credential stuffing attack that compromised isolated user accounts, enabling unauthorized actors to distribute an explicit image link to parents via the platform. The service provider disabled messaging features, collaborated with a URL-shortening service to block the malicious link, reset affected account passwords, and initiated proactive scans for reused credentials from known breach databases. Service disruptions occurred as the company temporarily reactivated and then again disabled messaging while addressing residual access to the inappropriate content. Multiple U.S. school districts issued warnings advising parents to avoid interacting with the messages, highlighting widespread impact across educational communities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 14, 2022, Seesaw—a school communication platform serving 10 million teachers, students, and parents across the U.S.—acknowledged a credential stuffing attack that compromised isolated user accounts. The incident began on the evening of September 13 when attackers used widely available stolen email and password combinations, likely reused from other breaches, to gain unauthorized access to Seesaw accounts. The compromised accounts were exploited to distribute an inappropriate image via the platform’s messaging feature. The explicit content, identified by recipients as the shock image colloquially known as 'goatse,' was disseminated to parents through automated messages containing a hyperlink. Upon receiving reports of the incident, Seesaw immediately disabled its messaging service to investigate. The company confirmed that the attacker only accessed accounts to send the malicious message, with no evidence of further data access or system-wide compromise. Initial containment measures included removing the image link from affected messages and resetting passwords for compromised accounts.
Seesaw reactivated messaging services on the morning of September 14 but temporarily disabled them again after discovering some users could still access the image via the original link. The company collaborated with URL-shortening service Bit.ly to permanently disable the malicious link. Impacted school districts in New York, Illinois, Florida, and elsewhere issued public alerts urging parents to avoid opening the message or clicking links. A Florida parent provided media outlets with a screenshot of the image from their spouse’s account, while school districts like Troy CSD in New York posted warnings on social media and official websites. Seesaw announced plans to scan databases of known compromised passwords and force password resets for users with reused credentials as an additional security precaution. The incident prompted widespread discussion among educators on platforms like Reddit, reflecting its broad geographic impact across U.S. school communities.