Chegg sued by FTC after suffering four data breaches within 3 years


Level 78
Thread author
Honorary Member
Top Poster
Content Creator
Apr 24, 2016
The U.S. Federal Trade Commission (FTC) has sued education technology company Chegg after exposing the sensitive information of tens of millions of customers and employees in four data breaches suffered since 2017.

The agency's proposed order would require Chegg to shore up data security, implement multifactor authentication (MFA) to help users secure their accounts, limit collected and stored customer data, and allow customers to access and delete their data.

"Chegg took shortcuts with millions of students' sensitive information," said Samuel Levine, Director of the FTC's Bureau of Consumer Protection, on Monday.

"Today's order requires the company to strengthen security safeguards, offer consumers an easy way to delete their data, and limit information collection on the front end. The Commission will continue to act aggressively to protect personal data."

ForgottenSeer 95367

Unless the FTC has overwhelming evidence showing Chegg was willfully or criminally negligent, Chegg can take the FTC to court and get out of it. In the USA there is no federal regulation nor mandate that says anybody is required to guarantee data protection. Cybersecurity need only meet the "best effort" standard in the US. The "best effort" standard is a loose standard.
  • Like
Reactions: Virtuoso and Nevi


Staff Member
Malware Hunter
Jul 27, 2015
Sloppy data security at education tech giant Chegg exposed students and workers' personal information not once but four times in various ways over four years, according to the FTC.

In response, the American consumer watchdog today ordered the company to better protect data, including encrypting sensitive information, providing multi-factor authentication to users and employees, limiting the amount of personal information it collects and retains, and training staff on security practices. Stuff that should have been done a long time ago. Additionally, the FTC noted Chegg didn't necessarily notify all of the 40 million users and employees whose private info was exposed during the four breaches.

So, per an FTC order [PDF], the tech firm also has to notify "each individual whose unencrypted Social Security number, financial account information, date of birth, user account credentials, or medical information was exposed" within the next 60 days.
First, in 2017, Chegg employees fell for a phishing attack, which gave criminals access to employees' direct deposit information.

A year later, a former contractor accessed one of Chegg's S3 databases using an AWS Root Credential, and stole a database containing about 40 million users' data. This included email addresses, first and last names, passwords, and, for some users, their religious denomination, heritage, date of birth, parents' income range, sexual orientation, and disabilities.

Later in 2018, a threat-intel firm notified Chegg that a file containing some of the stolen information was up for sale in an online forum. "Chegg reviewed the file as part of its own investigation, finding it held, among other things, approximately 25 million of the exfiltrated passwords in plain text, meaning the threat actors had cracked the hash for those passwords," according to the complaint. In response, Chegg required about 40 million users to reset their passwords. But it continued to store students' personal information in plain text, we're told.

In 2019, following another successful phishing attack, miscreants stole a senior executive's credentials and used those to access the exec's email inbox, which contained users' and employees' financial and medical information. The email system remained in its default configuration, which meant it didn't require MFA to access inboxes, the complaint said.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.