Incident Details
Victimized Company: | Chegg Inc. |
Incident Dates: | 2018-04-29 to 2023-01-26 |
Disclosure Date: | 2018-09-25 |
Current Status: | Threat Actor Unknown |
Victimized Company: | Chegg Inc. |
Incident Dates: | 2018-04-29 to 2023-01-26 |
Disclosure Date: | 2018-09-25 |
Current Status: | Threat Actor Unknown |
In April 2018, the educational platform Chegg Inc. suffered a breach leading to the exposure of sensitive data on over 40 million users. A former contractor used AWS root credentials to exfiltrate the data.
In April 2018, Chegg allowed a former contractor to retain access to their AWS Account using root credentials. No multi-factor authentication was enabled for the account. Additionally, Chegg neglected to encrypt employee and user information and used a weak hashing algorithm for the user passwords.
Using the AWS Root Credentials, the former contractor exfiltrated a database containing personal information of approximately 40 million users of the Chegg platform. The exposed personal information included the S3 User Data consisting of users’ email addresses, first and last names, passwords, and, for certain Chegg users, their Scholarship Search Data, consisting of their religious denomination, heritage, date of birth, parents’ income range, sexual orientation, and disabilities. … Had Chegg employed reasonable access controls and monitoring, it would have likely detected and/or stopped the attack more quickly.1
In September 2018, a threat intelligence vendor discovered an online forum containing 25 million user passwords in plain text. In response, Chegg required 40 million customers to reset their passwords.
Date | Event |
---|---|
April 29, 2018 | A former contractor accessed one of Chegg’s AWS S3 buckets using Root Credentials. |
April 29th, 2018 | According to an FTC complaint, the former contractor exfiltrated a database containing the personal information of approximately 40 million users of the Chegg platform. |
September 19th, 2018 | Chegg is informed that exfiltrated data has been found in an online forum 2. Upon additional investigation, Chegg discovers over 25 million user passwords from the exfiltrated files had been cracked. |
September 25th, 2018 | Chegg notifies the SEC of the breach. |
September 26th, 2018 | Chegg notifies the public and its users of the data breach. |
September 28th, 2018 | Chegg required over 40 million users to reset their passwords. |
September 11th, 2019 | Class Action lawsuit filed against Chegg for the April 29th 2018 breach. |
April 28th, 2020 | Judge rules Chegg breach lawsuit must proceed to arbitration. |
October 31st, 2022 | FTC Files an Official complaint against Chegg over the 2018 breach and other breaches that happened in 2017, 2019, and 2020 via a phishing attack. |
November 8th, 2022 | A second class action lawsuit was filed against Chegg after the FTC accused the company of multiple cybersecurity faults that led to four data breaches between 2017-2020. |
January 26th, 2023 | The FTC and Chegg came to an agreement on an order that involved revamping their security practices, such as updating encryption and changing access controls. Chegg also changes their user data collection limits and how users can handle their own data. |
According to the FTC Complaint1, an unnamed former contractor was responsible for using the root credentials to access the personal information.
The FTC Ordered Chegg to implement a proper security program3, including training for all employees. Chegg must also offer MFA to all users4 and submit to regular third-party assessments5. The order also states that users must be allowed to access their own data and have the ability to delete their accounts when desired.
Chegg: Letter of notice to Users - September 19, 2018
SEC: FORM 8‑K Disclosure of Security Event- September 25, 2018
Reuters: Judge orders Chegg Breach Cases sent to arbitration - April 18, 2020
Class Action: Class Action Lawsuit Keller vs Chegg - November 8, 2022
FTC: Official Complaint against Chegg Inc - October 31, 2022
New York Times: Chegg Statement to the New York Times - October 31, 2022
FTC: Final Decision on Chegg Breaches - January 26, 2023
FTC: Official Press Release - January 27, 2023
The cloud security issues outlined here were part of the FTC’s complaint against Chegg (Paragraph 9, pg2-3):
FTC Complaint Paragraph 12, pg 2 ↩︎ ↩︎
FTC Complaint Paragraph 13, pg 2 ↩︎
FTC Decision and Order Section V, pg 5 ↩︎
FTC Decision and Order Section III, pg 5 ↩︎
FTC Decision and Order Section VI, pg 8-10 ↩︎