In September 2018 on e-Literate I wrote about a data breach at Chegg that potentially affected up to 40 million student accounts. The breach itself occurred in April of that year, with the discovery of the breach occurring a week before the notice, as described in the company’s disclosure to investors:
On September 19, 2018, Chegg learned that on or around April 29, 2018, an unauthorized party gained access to a Company database that hosts user data for chegg.com and certain of the Company’s family of brands such as EasyBib. The Company understands that the information that may have been obtained could include a Chegg user’s name, email address, shipping address, Chegg username, and hashed Chegg password. The investigation into the incident, which is supported by third-party forensics, is ongoing. To date, the Company understands that no social security numbers or financial information such as users’ credit card numbers or bank account information were obtained.
Mainstream channels focusing on stock price effects (Bloomberg, CNBC, TechCrunch, etc) and security-specific channels (Security Today, DataBreaches, etc) covered the story.
In a subsequent post on e-Literate, I noted the lack of transparency from Chegg.
What is problematic with the Chegg data breach is that no further information has been made public and there has yet to be any interest from the broader ed tech press to dig up answers. We have no idea how serious this breach is, and I do not believe that the users with compromised personal information have had any updates since the initial email blast and associated post.
This behavior continues despite a new exposure resulting from the 2018 breach.
Information Decrypted and Exposed
In September of this year the data appears to have been decrypted (reversing the hash-based password encryption) and posted online, exposing student email and password combinations as described in a Tulane University IT announcement: [emphasis added]
In 2018, Chegg.com, a company that offers textbook rental and tutoring services suffered a data breach resulting in the loss of 40 million customer records which included full names, email addresses, usernames, and passwords. Now the results of Chegg’s 2018 data breach have been publicly exposed online, which poses a substantial threat. If users happen to reuse or slightly modify passwords across multiple services, publicly exposed credentials can be exploited.
Several universities across the nation have reported malicious use of these leaked email addresses and passwords which were contained in the Chegg breach. This is of concern for anyone who may have signed up for Chegg using their Tulane email address and a password similar or identical to their Tulane.edu password. Several Tulane students and alumni have reached out to the IT service desk affected by this breach of Chegg data.
An article from Saint Mary’s College describes that the discovery of this decryption was not described to schools or users by Chegg, but rather by a separate security agency.
Junior Sophie Koeppl, a Chegg user since her freshman year of college, said she was alerted to the breach by the College and was not contacted directly by the textbook provider.
“I never got an email from Chegg confirming the security breach that happened last year,” Koeppl said.
Kathy Hausmann, associate director for technical support services at Saint Mary’s, said the information obtained in the 2018 breach potentially included a Chegg user’s name, email address, shipping address, Chegg username and hashed Chegg password.
“Saint Mary’s College received a notification from REN-ISAC (Research and Education Networks Information Sharing and Analysis Center) ‘that some credentials from your institution have appeared in a credential dump related to the Chegg data breach,’” Hausmann said in an email. “The information obtained from the Chegg data breach had been shared online for others to do further damage beyond the initial data breach of Chegg.”
The University of Central Florida’s IT advisory described how Chegg’s method of hashing passwords appears to have led to the decryption and release of comprised information online.
According to a news alert sent by UCF INFOSEC Wednesday morning, the weak encryption used to store user data was the primary cause of cyber criminals gaining access to the information of thousands of users.
What about Chegg?
Where is Chegg in all this year’s news? It appears that the company is continuing its approach of trying minimize the news about security breaches and primarily notify the investment community. I could find nothing in public where Chegg is notifying people of the decryption and comprise of username / password combinations.
The only public mention of the 2018 data breach, ironically, came from an investor call in early November where an analyst asked about a similar data breach at Thinkful, a company that Chegg had just acquired. CEO Dan Rosenweig did not take the opportunity to describe the decryption of the 2018 data and even described the incident as having no impact. [emphasis added]
Let’s start with the news. So it was — so no, we were not cognizant ahead of the announcing of the [Thinkful] data breach.
We obviously were made aware, the moment that they knew. And fortunately, similar to ours, which, as you know, amounted to nothing. There was no pertinently identifiable information, no credit card information. And they don’t have — their customer base is much smaller than ours, obviously, and they charge a lot more.
So it was a non-variable as best as we can tell. And everything that we looked at afterwards, we’ve asked them to follow the exact same protocols that we did, which was complete and open transparency, communicate immediately, notify everybody. Openly notify people because, unfortunately, it’s a fact of life in technology that these things are going to happen. But fortunately, neither one of us has the PI or the credit card information.
Amounted to nothing? We now have new exposure of decrypted information with documented increase in malicious attacks. While I am not aware of further loss of information from this situation, I would not call it nothing. As described in the Saint Mary College notification:
“After hashed passwords are decrypted, the passwords can be used to sign into affected accounts if the passwords were not already changed,” Hausmann said. “There is also the concern that the released e-mail addresses and passwords could be used to try and gain access into accounts unrelated to Chegg, including e-mail, social media and finance-related websites.”
Complete and open transparency? Chegg waited a week to send an email to users about the breach discovery last year and only later made a public post. And the company has made no “complete and open transparency” attempt based on the September 2019 decryption and exposure of information, according to the news articles.
This evolving story should be a wakeup call to the EdTech community to take data security more seriously, and for institutions to demand greater transparency from vendors.