Popular elementary school app, Seesaw, used to distribute obscene image

Emma McGowan 16 Sep 2022

As this attack illustrates, reusing passwords can lead to very real consequences.

Cassie,* a Vermont mother of four, woke up to a shock yesterday morning. When she went to check the Seesaw app — which she uses to communicate with her kids’ schools — she found that an obscene photo had been sent to her youngest’s teacher at 3 AM. 

“Anyone else ever had their phone hacked and their child’s teacher get sent links to the grossest pic ever at 3AM? No? Just me? The butthole bandit has me real embarrassed today,” Cassie posted on Facebook.

It turns out that Cassie was one of many parents whose Seesaw account was compromised the night before. According to reporting from NBC News, attackers conducted a credential stuffing attack to send a Bitly link to the infamous Goatse meme, which depicts a male body part in a particularly obscene manner. That means they found usernames and passwords that had been compromised in previous data breaches and used them to attempt to access Seesaw accounts.

According to Cassie, other accounts were targeted as well: She told Avast that her Instagram, Venmo, TikTok, and Facebook accounts were also compromised. While nothing seems to have happened with her social media so far, the attackers did steal the money she had in her Venmo account. Cassie works in a tips-based industry, so that money is a substantial part of her take home pay.

Seesaw responded quickly to the attack by sending out an email to their users, stating that “specific accounts were compromised by an outside actor.” They also turned off their messaging feature, removed the link, reset the passwords of compromised accounts, and promised to continue to monitor the situation. 

Seesaw’s social media has been taken over by outraged parents, but the attack does not appear to be enabled through any bad action on their part. Instead, it utilized one of the oldest tools in the hacker tool chest: The reuse of repeated passwords. 

In a credential stuffing attack, cybercriminals create a bot that takes usernames and passwords that were compromised in previous data breaches and attempts to use them on other websites. The attackers are counting on the fact that people often reuse usernames and passwords, which means previously compromised accounts are goldmines for access to other accounts. 

Reused passwords are common — and they’re the biggest potential security weakness in our current password-based system. With so many accounts that need their own passwords (some studies suggest the average person has around 100 passwords now), it’s very tempting to reuse a couple on different accounts. This is especially an issue for parents of school-aged children, who now have multiple apps, accounts, and logins for their (sometimes multiple) children’s schools. 

But, as this attack graphically illustrates, reusing passwords can lead to very real consequences. And while hopefully passwords will soon be a thing of the past (we’re working on it), for now they’re the primary way most tech products are accessed. So, with that in mind, here are four tips on good password hygiene, so that you’re never caught off guard by the butthole bandit.

1. Never reuse passwords

You’ve probably already gotten this message, but the number one rule of good password hygiene is to never reuse your passwords. Not even once. Because if a password is compromised in a data breach — and they almost inevitably will be — then cyber criminals can and will figure out ways to use it elsewhere. 

2. Use a password manager

Both creating and remembering unique, long passwords for every account is nearly impossible. That’s where a good password manager comes into play. A password manager helps you create, store, and fill in your passwords for every account. All you have to do is remember one password to unlock the manager — and some even use biometrics, like your face or fingerprint, so you don’t even have to remember that main password anymore. 

3. Try creating passphrases instead of passwords

You’ve probably heard the recommendation that every password should contain a random combination of letters, numbers, and symbols. But here’s a reality about the human brain: There’s no way you’re going to remember that. Instead, the current best advice is to create passphrases instead of passwords. A passphrases is a string of random words that have no relation to each other. 

The idea behind passphrases is that it’s much easier to remember a string of three or four words than it is to remember the order of a random set of letters, numbers, and symbols. They’re also hard for attackers to crack, because the lack of relationship between the words means they’re basically nonsensical to the human brain. 

4. Enable multi-factor authentication (MFA) everywhere

Finally, enable multi-factor authentication (MFA) everywhere that it’s possible. You’re probably already familiar with MFA, which requires you to both enter a password (or use a biometric, like your fingerprint) and then also verify your identity another way. (For example, Gmail asks users to open their Google Photos app on their phone and verify that they’re trying to sign in after entering their login info.)

An increasing number of services offer MFA now, although not all do. If you’re especially concerned about your account security, you can add a third-party MFA app for those that don’t have a built-in option.

*Name changed to protect the privacy of those involved.

--> -->