I have a friend from the MSc course, who is a teacher here in the UK, and he is often caught by the schools very high security stance, when he is trying to teach cyber security to his students. Many of the legitimate sites and resources he wants access to are on the blacklist for the firewall filtering, for obvious reasons. Cyber security for schools should be as tight as possible and that should also extend to all suppliers.
Because when it goes wrong the results can be catastrophic.
US school app accounts hacked to send explicit image – BBC News
However when Seesaw (the app in question) checked it found it systems had not been breached. It appears that in this case it is the users – parents, family member, teachers and students – who have been reusing passwords that have been compromised, and the hacker simply ran a credential stuffing attack.