What Happened
In April 2018, educational technology company Chegg Inc. suffered a major data breach when a former contractor used AWS root credentials to access and exfiltrate a database containing personal information of approximately 40 million users. The exposed data included names, email addresses, passwords (stored with weak hashing), and for certain users sensitive scholarship information such as dates of birth, parents’ income range, sexual orientation, and disabilities. The breach went undetected for months until September 2018, when a threat intelligence vendor discovered 25 million user passwords in plain text on an online forum. The incident was publicly disclosed on September 26, 2018, and resulted from Chegg’s poor security practices, including the failure to implement multi-factor authentication, lack of encryption for user data, absence of network monitoring, and the sharing of a single AWS root access key with employees and contractors. The FTC later filed a complaint against Chegg in October 2022 for this breach and three others occurring between 2017-2020, ultimately requiring the company to implement comprehensive security reforms including encryption, multi-factor authentication, and employee security training.
