Hack of popular parent-teacher app left users wide open to infamous shock image [Updated]

A popular parent-teacher messaging app called Seesaw was hacked this week, which resulted in families across the US receiving a Bit.ly link showing one of the most widely shared shock images to ever befoul the internet.

Vice posted a blurry picture of the text message that some parents received, which showed an explicit closeup image of a man spreading his anus. The image has mostly been removed from the internet. For parents preparing to tuck in their first graders this week, its sudden reappearance revived its shock value from the early days of the internet.

One parent just said "Um???" in the picture.

Seesaw is used by 10 million teachers in the US and so far, the company has not said how many accounts were affected. The issue was widely reported by NBC and Vice. The inappropriate image was sent to families in Illinois, New York, Oklahoma, Texas, Colorado, Kansas, Minnesota, Michigan, and South Dakota, according to reports. Some schools updated their websites with pop-up windows to let parents know about the issue, and urged them to avoid using the app until the issue was solved.

Seesaw shut down the messaging feature after becoming aware of the attack. The issue was not due to a data breach of Seesaw users but acredential stuffing attack. That happens when a hacker discovers information that can be used to compromise individual accounts when people reuse their usernames and passwords. Seesaw told parents not to duplicate passwords because of the attacks.

A Seesaw spokesman told Ars that individual user accounts were compromised and used to send inappropriate messages. There is no evidence that this attacker did anything else besides logging in and sending a message from the compromised accounts.

How did Seesaw respond?

As new information became available, Seesaw began to investigate and post user updates. To remedy the issue, Seesaw removed the image from all messages, disabled the messaging feature to prevent it from being shared further, and notified account holders by email.

Seesaw reached out to Bit.ly to block the link and promised users that the app would adjust its rules to prevent similar attacks in the future. saw didn't say what updates were made Seesaw told Ars that although it can't discuss the specifics of additional steps taken to enhance security so far, some of the "additional Mitigation steps to prevent an attack from achieving this scale in the future" include fines.

Seesaw plans to use a database of known compromised passwords to reset the passwords of any users who weren't impacted by the hack.

Seesaw told Vice that they were distressed by the impact of the actions.

Some Seesaw users are able to use the messaging feature again, but others are not.

Seesaw told Ars that the team continues to monitor the situation.