Sterling and Dixon public schools were among districts nationwide whose service on the parent-student-teacher messaging portal Seesaw experienced delays in service this week because of a cyberattack on user accounts.
According to Seesaw founder Adrian Graham, some users were subjected to a “credential stuffing” attack in which they received a message linked to an “inappropriate image.”
The quick response by Seesaw was to its credit, Sterling Public Schools Superintendent Tad Everett said.
“Once they realized they had been technologically breached, they got on the problem immediately,” Everett said. “Within 48 hours they had corrected the issue and we were back up and running.”
Everett also said the service’s utility to the district is unchanged. “They have been a great educational partner with us, and as long as there are no further issues, SPS will continue to utilize their services,” he wrote in an email.
Everett had informed parents that access was suspended and recommended users reset their username and password information used to access the app through a personal device.
For Sterling schools, the app is used primarily by students in Pre-K through third grade for communications and online learning.
According to Seesaw, the app is in use by 10 million teachers, students and families and used at more than 75% of U.S. schools. It said fewer than 0.5% of users were compromised. It was unclear whether any app users in Sterling or Dixon were targeted.
Dixon Public Schools informed parents in a letter and website post from Superintendent Margo Empen and technology director James Manley that Seesaw messaging had been disabled. Dixon uses Seesaw as a communication tool in its kindergarten through fifth-grade classes.
Erie Community Unit District 1 Superintendent Charles Milem also sent a letter explaining the breach to parents and the steps taken to correct it. He emphasized how seriously the district and Seesaw were taking this incident.
Seesaw restored access to its messaging features at about 2 p.m. Thursday and reset all passwords for users who experienced a breach.
The attack message was removed and the company coordinated with bit.ly — a url link management system — and Amazon Web Services to make sure the image was no longer accessible.
In credential stuffing, widely available lists of emails and passwords are used to gain unauthorized access to accounts.
Seesaw said among its mitigations were sharing best practices in password security with users, conducting a forensics investigation into the incident and making improvements in content detection and login systems.
The company said additional steps to help users secure their accounts might be forthcoming.
Messaging portals are widely used in schools to facilitate communications between the schools, its teachers, parents and students. In fact, some schools use several services, depending on the grade level and purpose of the communications.
Among the portals that are used in addition to Seesaw in the area: Dixon Public Schools uses Clever; Rock Falls High School and Sterling Public Schools utilize Skyward; Rock Falls District 13, East Coloma-Nelson and Montmorency in Rock Falls all use TeacherEase; Oregon Community Schools uses PowerSchool SIS and Newman Catholic High School uses PlusPortals.
Improve password security
According to the CyberSecurity and Infrastructure Security Agency (www.cisa.gov), an agency of the United States government, users can take the following steps to improve password security on their devices and computers:
Create a strong password. Use a strong password that is unique for each device or account. Longer passwords are more secure. An option to help you create a long password is using a passphrase—four or more random words grouped together and used as a password. To create strong passwords, the National Institute of Standards and Technology (NIST) suggests using simple, long, and memorable passwords or passphrases.
Consider using a password manager. Password manager applications manage different accounts and passwords while having added benefits, including identifying weak or repeated passwords. There are many different options, so start by looking for an application that has a large install base (e.g., 1 million plus) and an overall positive review. Properly using one of these password managers may help improve your overall password security.
Use multi-factor authentication, if available. Multi-factor authentication (MFA) is a more secure method of authorizing access. It requires two out of the following three types of credentials: something you know (e.g., a password or personal identification number [PIN]), something you have (e.g., a token or ID card), and something you are (e.g., a biometric fingerprint). Because one of the required credentials requires physical presence, this step makes it more difficult for a threat actor to compromise your device.
Use security questions properly. For accounts that ask you to set up one or more password reset questions, use private information about yourself that only you would know. Answers that can be found on your social media or facts everyone knows about you can make it easier for someone to guess your password.
Create unique accounts for each user per device. Set up individual accounts that allow only the access and permissions needed by each user. When you need to grant daily use accounts administrative permissions, do so only temporarily. This precaution reduces the impact of poor choices, such as clicking on phishing emails or visiting malicious websites.