A Note from Our Co-Founder/CEO about the Credential Stuffing Incident

To the Seesaw Community,

For nearly a decade, you have trusted Seesaw to be at the heart of your classroom. We take that responsibility very seriously and are deeply sorry for the disruption caused by the attack on Seesaw user accounts earlier this week. With this in mind, I wanted to write to you directly about what happened.

Late on September 13, individual Seesaw users were subjected to a coordinated “credential stuffing” attack. Some of the compromised accounts were used to send a message with a link to an inappropriate image. Less than 0.5% of users were affected.

First and foremost, I want to assure our community that Seesaw is safe and the attack has been shut down. Seesaw was not compromised, and we have put a number of additional safety practices in place to ensure that an attack like this doesn’t happen again

We also want to be transparent about what happened, how we dealt with this incident, and what we are doing moving forward.

What Happened 

In “credential stuffing” attacks like this, widely available lists of emails/passwords are used to gain unauthorized access to accounts where individuals re-use login information. 

The attacker used this approach to access individual Seesaw user accounts and, in some cases, sent a message containing a link to an inappropriate image. Less than 0.5% of users were affected. 

We have no evidence to suggest the attacker performed additional actions or accessed data in Seesaw beyond logging in and sending a message. 

How We Responded 

Immediately after identifying the attack we took action to block the attack, secure impacted accounts, and prevent the message from being distributed widely. We always prioritize the safety and trust of our community even when it means turning off Seesaw features.

  1. We completely disabled our messaging feature to ensure no one else saw the inappropriate message. As of September 15, messaging has been fully restored.

  2. We notified all impacted users and secured all accounts we know to have been compromised by proactively resetting passwords.

  3. We removed the inappropriate message from all accounts and coordinated with Bit.ly and AWS to ensure that the inappropriate image is no longer accessible.

  4. Throughout the day, we shared information as soon as we learned it. We provided status updates on our website, coordinated with security officials, and notified all customers.

What We’re Doing to Keep You Safe

Based on what we have learned, we have taken a number of mitigation steps to prevent a similar attack in the future. 

This includes:

  • Making significant improvements to our rate limiting, alerting, blocking, content detection, and login systems. 

  • Conducting a thorough forensic investigation into the incident.

  • Sharing best practices for password security.

We'll be reviewing other steps we can take in the coming days to help users secure their accounts further and will share updates if any new information is discovered.

I hope this helps clarify what has happened and steps we have taken to ensure it doesn’t happen again. 

Thank you for being part of the Seesaw community. 

- Adrian Graham


FAQs

Is Seesaw safe to use? 

Seesaw is safe to use. The safety and privacy of our teachers, students, and families is our number one priority and we take it extremely seriously. Seesaw was not compromised, and the incident has been resolved.

Is Seesaw Messages secure?

Yes, this incident occurred as a result of unauthorized access to individual Seesaw user accounts. Seesaw was not compromised.

How do I know if my account was compromised? 

If your account was compromised, the Seesaw team sent you an email. We proactively reset the passwords of all accounts we know to have been affected. We have also adjusted our detection and blocking rules to ensure similar attacks are prevented in the future. 

Why was messaging turned off? 

As soon as we identified this attack was taking place, our first priority was to secure the safety of teachers, students, and families. While we resolved the issue, we disabled the messaging feature to prevent the message from being distributed widely. Before turning messaging back on, we took action to secure individual compromised user accounts so as to block the attacker’s access, remove the image from all messages, and ensure the image was no longer accessible.

How do I ensure that the image has been removed? 

We have removed the inappropriate image link from all messages and taken many other actions to ensure it is inaccessible (details can be found here). In a few instances, if the message was already loaded in a web browser or one of our apps, it may have been cached on devices. To completely remove the image, users can follow these steps:

  • We recommend all users refresh their web browsers and restart their mobile app

  • On mobile, we recommend all users update devices to the latest version (version 8.1.2) or re-launch Seesaw by completely closing out and re-opening the Seesaw app. (Here are instructions to close apps for iOS and Android devices). 

How can I take extra precaution and reset my password? 

Any user can always reset their password at any time at https://app.seesaw.me/#/reset_password

Where can I get more information or support?

If you have any questions or concerns, please reach out to us here. Thank you for your patience while our team worked round the clock to get these additional security measures in place. 

Product UpdatesSeesawSeesaw