ACT's Education Directorate has blocked all public school students from accessing their Google email accounts after they were spammed en masse on Friday.
The spam campaign emerged on Friday afternoon with an undisclosed number of students receiving dozens of emails, resulting in a reply-all “email storm”.
iTnews understands some of the emails link to lewd websites and Instagram accounts, while other messages tried to solicit inappropriate images.
One concerned parent, who is also an IT consultant, told iTnews that some student email accounts appeared to have been compromised, either through phishing or brute force.
He said these accounts, possibly suffering from weak credentials and the lack of two-factor authentication, were then used to spam internal mailing lists.
A spokesperson for the ACT Education Directorate confirmed that ACT public schools had experienced an "email incident" on Friday.
"The incident appears to have involved a spam email being circulated to students," the spokesperson said.
"These messages have included a range of material, including inappropriate material."
While the directorate is still investigating the "full extent of the issues", students have been blocked from accessing the Google email platform as a precaution.
"The Education Directorate has responded by blocking access to the Google platform by all students," the spokesperson said.
"Access will resume once the incident has been thoroughly investigated and appropriate controls put in place.
"Schools, parents and students are being advised if they received the email they should not forward it on and delete any copies they may have."
In a further update on August 18, ACT Education advised that its investigation had "confirmed no external body has hacked or exported information from our systems".
"The incident occurred when a student attempted to share their work with their classmates, accidentally using a global distribution list code," it said.
"Other students ‘replied all’ and a small number of students shared inappropriate content, including pornographic imagery."
ACT Education said it had worked over the weekend to "remove access to global distribution lists and rigorously test our systems to ensure students cannot again access the lists".
Students are expected to be able to access their email accounts by the end of the week. Google Drive and Google Classroom have already been restored.
Updated Tuesday August 18