CUMBERLAND COUNTY, Pa. (WHTM) — Cumberland Valley School District says someone sent highly inappropriate images using a software system designed for elementary school students, and it isn’t the only district to be impacted.

On Wednesday morning, Cumberland Valley alerted parents of “a very inappropriate image being circulated through a small number of accounts on Seesaw.” Cumberland Valley is not the only district to use Seesaw or to experience this issue.

West Shore School District sent a similar message to elementary families and staff on Wednesday that said “a few of our elementary teachers reported receiving a bitly link to an inappropriate image through their Seesaw account from parent accounts.”

Northern York County School District also experienced the issue, per a message sent to district parents and staff. And it isn’t limited to Pennsylvania — an abc27 sister station in New York also reported a similar issue.

In a statement, Cumberland Valley said, “Our initial investigation revealed that an individual(s) gained unauthorized access to several parent, or “families,” Seesaw accounts and used those accounts to send an inappropriate image through the platform to some of our staff…We are not aware of the image being shared with any student accounts.”

Cumberland Valley emphasized this was not a breach of its systems.

West Shore also said that “due to the manner in which the District Seesaw accounts are structured, students were not able to receive this message, and all teacher log-in credentials are secure.”

In an updated statement, Seesaw said:

“After further investigation, it appears that specific user accounts were compromised as the result of a coordinated attempt to guess user account passwords, sometimes known as a ‘credential stuffing’ attack. In a credential stuffing attack, publicly available compromised emails/passwords that are re-used across services are used to gain access to Seesaw accounts. Seesaw was not compromised; however, isolated individual user accounts were compromised and used to send an inappropriate message. We have no evidence to suggest this attacker performed any additional actions or accessed other data in Seesaw beyond logging in and sending a message from these compromised accounts.

As soon as we identified this attack was taking place, we took action to block the attacker’s access to these accounts, completely disabled the messaging feature to ensure no one else saw the inappropriate message, and removed the inappropriate message from accounts where it was sent. We proactively reset the passwords of all accounts we know to have been compromised, and have notified impacted users already. We’ve also adjusted our detection and blocking rules to ensure similar attacks are prevented in the future and coordinated with Bit.ly to ensure that the link to the inappropriate image is no longer accessible in any email notifications that may have been sent .Our team continues to monitor the situation and are now slowly reenabling Messages.” 

Seesaw is one of several competing apps school use to communicate with students and parents and enhance learning.