[Update] Chegg Data Breach Resets 40M passwords due to Data Breach

[Ryujin2003]

Chegg started notifying customers about a data breach that occurred in April 2018. Chegg didn't explicity state what information is compromised, but only that "some" had potentially been. This is not good considering the size of the consumer base that Chegg has globally, not just inside the US. With account information such as financial data, address, and other personally identifiable information, I'm not too happy.

 

Here is the letter they sent out.

 

Quote

Notice of Data Breach

Hello,

We recently discovered that some data from your Chegg.com account, or one of its family of student services, may have been acquired by an unauthorized party, and I wanted to reach out to you directly to inform you of what happened and what we are doing to protect your information. While our investigation into this matter continues, we are letting you know now because we value our relationship with you and we take the security of your information seriously.

What Happened?

On September 19, 2018, we learned that, on or around April 29, 2018, an unauthorized party gained access to one of our databases that hosts user data. An investigation, supported by a third-party forensics firm, was commenced. We have determined that some of your account information may have been obtained, which is why you are receiving this notice.

What Information Was Involved?

Our understanding is that the data that may have been obtained could include your name, email address, shipping address, Chegg username, and hashed Chegg password. Our current understanding is that no financial information such as credit card numbers, bank account information, or social security numbers was obtained.

What We Are Doing

We will prompt you to change your Chegg.com password upon login. If your password has been changed on or after September 26th, 2018, you will not be prompted to change it again.

What You Can Do

In addition, it is always good practice to use different passwords for different online accounts. To the extent that you used the same password on any websites or apps that you used on your Chegg account, we recommend changing those passwords as well.

Also, please review the enclosed “Information about Identity Theft Protection” attachment for steps you can take to help protect yourself against risks associated with identity theft generally.

For More Information

We understand you may have questions. Find more information at this link or contact us at 1-855-581-9880.

I wanted to reiterate that we take the security of our users’ information seriously and value the relationship we have with each and every Chegg user.

Thank You,

Dan Rosensweig, CEO of Chegg, Inc.

 

They give the general recommendations such as changing your passwords and getting with Equifax and company to check your credit for any illicit activity.

 

So thankfully, this website didn't collect my SSN. And every card I did have associated is long since expired. I haven't used the site in quite some time. I understand this type of thing happens, but I really wish that it was easy to delete my account when I decide I no longer need their services. I get books cheaper on Amazon, Amazon delivers faster, and their customer service experience is better. I have no need for Chegg, and most people I know that use it, are doing it for free answers to homework (free being used loosely since you do pay for that feature).

 

I'm glad they notified everyone, but I wish their wording was clearer. Did they find out on the 19th and launch an investigation at that time? Did they launch it immediately? Or did they know since the 19th and took until today to send out notifications?

 

I do hope they are open about how someone got access to databases. I guess it's nice that their passwords weren't stored in plain text, so there's that I guess.

 

Change passwords, change to a different provider of books? The power is yours.

 

Source: An Email I received. (Will update with additional information later)

 

[Update 1]

 

Quote

In a filing with the Securities and Exchange Commission, the company said it will reset all user passwords after hackers gained access to the company’s customer database. That database includes users for Chegg’s website but also other products, such as citation service EasyBib, which it owns.

The breach occurred in April, but was only discovered a week ago.

Hackers stole usernames, email addresses, shipping addresses and hashed passwords, the company said, but doesn’t believe that financial data was taken.

https://techcrunch.com/2018/09/26/chegg-resets-40-million-user-passwords-after-data-breach/

Quote

Chegg said it first learned of the breach on September 19 and plans to start notifying approximately 40 million registered users and regulatory authorities about the incident.

“Chegg takes the security of its users’ information seriously and will be initiating a password reset process for all user accounts,” the company said in the SEC filing.

 

But Phil Hill, an ed tech consultant who first spotted the SEC form, reported that Chegg had not started the notification process, even after the 8-K filing.

“I get that the company needs to notify the SEC, being a publicly traded company, but they certainly are not notifying the public very well. Seems focus is on guidance for stock price, not transparency,” said Hill, according to ZDNet.

https://www.pymnts.com/news/security-and-risk/2018/chegg-data-breach/

 

So, they were hacked, and are now resetting all of these passwords manually. That's great, but the damage is already done. Why the hell do they keep social security numbers is what I want to know. Also, their other services don't appear to be segregated unless there were multiple breach points. Not sure why they would keep different services together. Separate that shit because of this reason.

 

I agree with Mr Hill here. Googling, the majority of what I find is them taking a hit in the stock market because of this. No public acknowledgement or notification beyond the email. That is pretty shitty. They should have a headline in mainstream media to get the word out... Very disappointing. Glad I don't use their services any longer.

[HarryNyquist]

Quote

We take the security of your information seriously.

How long before it comes out that the username/password to the database was "root/password" or something equally dumb?

[Ryujin2003]

Just now, HarryNyquist said:

How long before it comes out that the username/password to the database was "root/password" or something equally dumb?

I give them about a month. That's long enough for people to "forget".

 

It's probably from some app they installed for advertisement revenue. My best guess.

[terrytek]

well i used their services in like august to pay for textbooks, so hopefully i'm not affected by this breach. but now this sounds a bit concerning.

[Ryujin2003]

11 minutes ago, terrytek said:

well i used their services in like august to pay for textbooks, so hopefully i'm not affected by this breach. but now this sounds a bit concerning.

If they were breached in April and didn't find out until now, I'd go with the assumption that they were potentially vulnerable to continued access until now.

[PhantomJaguarr]

I woke up to that email on my phone. Not a good start to my day. 

[Mihle]

Another company I have never heard about before.

[ScratchCat]

1 hour ago, Ryujin2003 said:

hashed Chegg password

At least one person did their job well, the others maybe not so

[DeScruff]

Dang. Ether I wasn't paying much attention before, or just lately there feels to be a lot of big data breaches.

[Radxr3]

Thankfully I never got into using chegg

[Kamina]

I'm no longer using their service after this. I can't respect a company that doesn't take their cyber security seriously.