Some 800 schools across the US have been targeted by hackers and their websites redirected to an Islamic State-sponsored YouTube video.
The attack, which lasted a few hours, affected schools in Arizona, Connecticut, Virginia and New Jersey.
The hack, which also affected private companies and government websites, is being investigated by the FBI.
All the websites are run by SchoolDesk. The Atlanta-based company is advising administrators to change passwords.
It said in a statement that “it immediately responded” when its technicians had found a small file injected into the root of one of its websites that redirected “to a YouTube video containing an audible Arabic message and a picture of Saddam Hussein”.
“Although the exact method and point of intrusion is not yet fully known (possibly an SQL injection or through a user account with a weak password), we have added multiple layers of redundant protection to prevent this from happening again,” it said.
On its website, Bloomfield School District, in New Jersey, said that its internal computer and data systems within the district “were completely unaffected”.
Mark James, a specialist at security company ESET, said: “In this case, gaining access to change or plant a rogue file that redirects users to areas of your design is about as simple as it gets – small footprint, no potential warning signs and out before anyone notices – but the results are as bad as they get.”