Dundee teachers told to stop using part of Seesaw schools app after pornographic image hack

Dundee schools have been told to use stop using part of the Seesaw app after a hacker sent users an explicit image.

The app is widely used by schools to record pupils’ work, often with pictures and video of children in class, and to communicate with parents.

But last week some parents and teachers were sent a pornographic photograph via the platform’s messaging tool.

A “very limited number” of users in Fife were confirmed to be among those hit by the data breach of user accounts.

Seesaw insists the incident has been resolved and the app is safe for children but  Dundee City Council is investigating and has advised schools to switch off the two-way conversation feature while it considers its use of the app.

A council spokesperson said: “Following the incident last week involving Seesaw, the council continues to look into implications for the use of the app.

“We are now advising that the announcements part of the messaging function can be used by schools, but that the two-way conversation feature should remain switched off meantime while our investigations are ongoing.”

Use of the app by Angus and Fife schools has returned to normal. Perth and Kinross Council has also been asked about its schools.

What happened?

San Francisco-based Seesaw said it had been the victim of a credential stuffing attack, where users’ passwords are guessed.

Compromised accounts were used to send a picture of a man performing a sex act to other users, so it looked like the message was from other teachers or parents.

The data breach came to light late last Tuesday (early hours of Wednesday US time) and Seesaw disabled the messaging function until Thursday afternoon.

Is the app safe for children?

A teacher in the US – where parents and teachers across several states were hit – said her class almost saw the explicit image appear on her app which was projected on a screen as they were about to arrive.

@Seesaw what is the holdup? Why are you not implementing a two factor authentication system?? My kids almost saw therepulsive message on Thurs bc I had my messages projected-they were due in class in 5 min. Is it a $$ issue? My eyes still burn. Take action NOW & protect kids!

— Esther (@Meaksforlife) September 17, 2022

Dundee City Council is investigating the implications of the breach.

However, Seesaw insists the app itself was not compromised – only some user accounts – and remains safe for all.

There is no evidence, it says, to suggest the attacker accessed any data beyond logging in and sending a message.

In a message to users, CEO Adrian Graham apologised for the disruption caused by the attack, which he said affected less than 0.5% of users.

He said: “Seesaw was not compromised, and we have put a number of additional safety practices in place to ensure that an attack like this doesn’t happen again.”

Seesaw said those whose accounts were compromised were contacted directly by email and passwords were reset.