Messages Inappropriate Image Incident

**9/14 Incident Report**

*Summary of the issue:*
- Late on September 13, isolated Seesaw users were subjected to a coordinated “credential stuffing” attack. These individual compromised accounts were then used to send a message with a link to an inappropriate image.
- *Seesaw was not compromised.* The attack was a result of a coordinated attempt to guess individual user account passwords, sometimes known as a 'credential stuffing' attack. In a credential stuffing attack, publicly available compromised emails/passwords that are re-used across services are used to gain access to individual user accounts.
- *Seesaw is safe to use.* Within the first few hours of learning about the attack, we took swift action. We completely disabled messaging, blocked the attacker, made sure the image was removed and no longer accessible, and proactively alerted impacted users as well as our wider community. The incident has been resolved.
- *Less than 0.5%* of Seesaw users were affected. Seesaw blocked the attack swiftly to prevent the message from being distributed widely.
- We have no evidence to suggest the attacker performed additional actions or accessed data in Seesaw beyond logging in and sending a message from compromised accounts. We are conducting a thorough investigation and will share updates if any new information is discovered.

*What Happened?*
- A message containing a link to an inappropriate image was sent from individual compromised Seesaw user accounts.
- *Seesaw was not compromised.* The attack was a result of a coordinated attempt to guess individual user account passwords, sometimes known as a 'credential stuffing' attack. In a credential stuffing attack, publicly available compromised emails/passwords that are re-used across services are used to gain access to individual user accounts.
- *Less than 0.5%* of Seesaw users were affected. Seesaw blocked the attack swiftly to prevent the message from being distributed widely.
- We have no evidence to suggest that the attacker performed additional actions in compromised Seesaw user accounts beyond logging in and sending a message.

* How Seesaw Immediately Responded*
- Ensuring the safety and privacy of our teachers, students, and families was our top priority.
- Within the first few hours of learning about the attack, we took action. Seesaw’s swift response to this attack included the following steps:
- As we resolved the issue, we completely disabled our messaging feature to ensure no one else saw the inappropriate message. As of September 15, messaging has been fully restored.
- We successfully removed the inappropriate message from all accounts and coordinated with Bit.ly and AWS to ensure that the inappropriate image is no longer accessible.
- We proactively reset the passwords of all accounts we know to have been compromised and notified all impacted users.
- Throughout the day, we released multiple public statements, publicly provided status updates on our website: https://status.seesaw.me/, coordinated with security officials, and notified all customers.
- We adjusted our detection and blocking rules to ensure similar attacks are prevented in the future.
- In addition to the above, we have taken a number of mitigation steps to prevent a similar attack in the future through refinements to Seesaw’s rate limiting, alerting, blocking, content detection, and login systems.
- We'll be reviewing other steps we can take in the coming days to help users secure their accounts further.

**Here’s What This Means for Your Users**

*Is Seesaw safe to use?*
Seesaw is safe to use. The safety and privacy of our teachers, students, and families is our number one priority and we take it extremely seriously. Seesaw was not compromised, and the incident has been resolved.

*Is Seesaw Messages secure and safe to use?*
Yes, this incident occurred as a result of unauthorized access to Seesaw accounts. Seesaw, including the messaging feature, was not compromised.

*How do I know if my account was compromised?*
If your account was compromised, the Seesaw team sent you an email. We proactively reset the passwords of all accounts we know to have been compromised. We have also adjusted our detection and blocking rules to ensure similar attacks are prevented in the future.

*Why was messaging turned off?*
As soon as we identified this attack was taking place, our first priority was to secure the safety of teachers, students, and families. While we resolved the issue, we disabled the messaging feature to prevent the message from being distributed widely. Before turning messaging back on, we took action to block the attacker’s access and made sure the image was removed and no longer accessible.

*How do I ensure that the image has been removed?*
We have removed the inappropriate image link from all messages and taken many other actions to ensure it is inaccessible (details can be found here: http://status.seesaw.me). In a few instances, if the message was already loaded in a web browser or one of our apps, it may have been cached on devices. To completely remove the image, users can follow these steps:
- We recommend all users *refresh their web browsers and restart their mobile app*.
- On mobile, we recommend all users update devices to the latest version (version 8.1.2) or re-launch Seesaw by completely closing out and re-opening the Seesaw app. (Here are instructions to close apps for iOS and Android devices).
- iOS: https://support.apple.com/en-us/HT201330
- Android: https://support.google.com/android/answer/9079646?hl=en#zippy=%2Cclose-apps

*How can I take extra precaution and reset my password?*
Any user can always reset their password at https://app.seesaw.me/#/reset_password.

*Where can I get more information or support?*
If you have any questions or concerns, please reach out to us here: https://help.seesaw.me/hc/en-us/requests/new. Thank you for your patience while our team worked round the clock to get these additional security measures in place.

Messages is ON for all customers. We are continuing to monitor.

We are turning Messages back ON for all customers starting at 7 am PT and continuing to monitor.

We have removed the inappropriate image link from all messages and taken many other actions to ensure it is inaccessible. However, in a few instances, if the message was already loaded in a web browser or one of our apps, the message may have been cached on your device. To ensure that no one has access to the inappropriate message, we recommend all everyone *refresh their web browsers and refresh their mobile apps*. On mobile, you can update your device to the latest app version (version 8.1.2, released today) and re-launch Seesaw OR close and re-open the Seesaw app.
Here are instructions to close apps on mobile devices:
- iOS: https://support.apple.com/en-us/HT201330
- Android: https://support.google.com/android/answer/9079646?hl=en#zippy=%2Cclose-apps

We are also emailing all affected users with these instructions as well. We plan to re-enable Messages tomorrow after overnight monitoring.

*What Happened*
- Late on September 13th, Seesaw was subjected to a coordinated “credential stuffing” attack.
- Seesaw was not compromised; however, isolated individual user accounts were compromised and used to send an inappropriate message.
- Widely available compromised emails/passwords that were reused across services were used to gain unauthorized access to Seesaw accounts.
- We have no evidence to suggest this attacker performed additional actions or accessed data in Seesaw beyond logging in and sending a message from these compromised accounts.

*What Data May Have Been Accessed*
- An isolated number of Seesaw user accounts were compromised in this attack, and only a portion of those were able to send the inappropriate message before the attack was blocked.
- We have no evidence that the attacker performed additional actions in Seesaw beyond logging in and sending a message from these compromised accounts.

*What We Have Done*
- As soon as we identified this attack was taking place, we took action to block the attacker’s access to these accounts.
- We completely disabled the messaging feature to ensure no one else saw the inappropriate message as we worked to resolve the issue.
- We removed the inappropriate message from accounts where it was sent.
- We proactively reset the passwords of all accounts we know to have been compromised, and have notified impacted users already.
- We adjusted our detection and blocking rules to ensure similar attacks are prevented in the future.
- We have coordinated with Bit.ly to ensure that the link to the inappropriate image is no longer accessible in any email notifications that may have been sent.

*What You Should Do*
- Maintaining the security of Seesaw accounts is paramount. While we work to proactively prevent these kinds of attacks, you can help by making sure that all user accounts use unique passwords that are not used in other services.
- If you are an administrator, you can let your parents and teachers know:
- Seesaw was not compromised; however, isolated individual user accounts were compromised and used to send an inappropriate message.
- This incident was the result of an outside actor; the messages were not created by the sender.
- If your account was compromised, your password was reset and you have already received an email notifying you of this.
- It is essential that you always use best practices to ensure your password is secure: https://www.cisa.gov/uscert/ncas/current-activity/2018/03/27/Creating-and-Managing-Strong-Passwords
- Seesaw takes protecting your security and privacy seriously and we have a number of measures in place to protect the integrity of your information. You can learn more here: https://help.seesaw.me/hc/en-us/articles/203258429-How-Seesaw-keeps-student-data-safe

* Next Steps*
- We will re-enable messaging when we’ve confirmed that the inappropriate message is no longer accessible from our servers.
- We are actively monitoring the situation and will be putting additional mitigation measures in place to prevent this and future attacks of this type.
- We will be scanning databases of known compromised passwords and resetting the passwords of users who may have re-used passwords as a proactive additional security measure (and preventing use of these passwords in the future).
- Please always use a unique password for accessing Seesaw and any other online account or service. Never reuse an old password or use the same password. Consider using a password manager for added security.
- We will continue providing updates here.

We believe there may be some caching cases where the previously sent inappropriate images may still be accessible to some customers. At this time we do not believe there are any new messages with the inappropriate image being sent. We have turned the Messaging feature off while we investigate the issue further. We are continuing to monitor and investigate the situation and will post a more detailed update shortly.

We have reset passwords for affected individuals and confirmed that links are no longer accessible. At this point, we have re-enabled the Messages feature. We are continuing to monitor and investigate the situation and will post a more detailed update shortly.

As of 9:15am PT: Users who received the link via an email notification will no longer be able to access the link.
As of 10:15am PT: We have reset passwords for and sent password reset emails to all affected accounts.

It was brought to our attention that a link to an inappropriate image was being shared via the Messages feature. It appears that specific accounts were compromised by an outside actor.

We take this incident extremely seriously. We’ve turned OFF Messages temporarily for all users while we investigate, to prevent further spread of this image from being sent or seen by any Seesaw users.

- We have removed this inappropriate link from any messages that reference it
- We are resetting the passwords of any users who had their account compromised
- We have taken measures to prevent additional accounts from being compromised
- Any user can always reset their password at: https://app.seesaw.me/#/reset_password
- Our team continues to monitor and investigate the situation

If you have any questions or concerns, please reach out to us at https://help.seesaw.me/hc/en-us/requests/new.

We will continue to provide updates on https://status.seesaw.me/ as we investigate and manage the situation.

—The Seesaw Team

The issue has been identified and a fix is being implemented.

[Investigation] We have turned off our messaging tool temporarily while we investigate an issue.