In April 2018, the widely-used tutoring service and textbook provider Chegg experienced a data breach, after an unauthorized source accessed one of the company’s databases. The breach was discovered in Sept. 2018.
On Sept. 26, chief information officer Todd Norris announced in a campus-wide email that the Saint Mary’s College Information Technology department had learned the Chegg usernames and passwords originally stolen in the breach had been decrypted and posted online. Though Chegg reset the passwords of the 40 million affected accounts on their own system, Norris said individuals who are using the same password on other sites are now at risk.
In the email, Norris advised students to change their Saint Mary’s passwords immediately.
Junior Sophie Koeppl, a Chegg user since her freshman year of college, said she was alerted to the breach by the College and was not contacted directly by the textbook provider.
“I never got an email from Chegg confirming the security breach that happened last year,” Koeppl said.
Kathy Hausmann, associate director for technical support services at Saint Mary’s, said the information obtained in the 2018 breach potentially included a Chegg user’s name, email address, shipping address, Chegg username and hashed Chegg password.
“Saint Mary’s College received a notification from REN-ISAC (Research and Education Networks Information Sharing and Analysis Center) ‘that some credentials from your institution have appeared in a credential dump related to the Chegg data breach,’” Hausmann said in an email. “The information obtained from the Chegg data breach had been shared online for others to do further damage beyond the initial data breach of Chegg.”
Because individuals had registered for Chegg using their Saint Mary’s email addresses, REN-ISAC notified the College about saintmarys.edu addresses appearing in the recent credential dump, Hausmann said.
“Instead of only contacting the 1,253 individuals in the list REN-ISAC provided, it was decided that all Saint Mary’s students, faculty and staff would be notified,” she said. “Those who signed up with Chegg using personal e-mail accounts would then also be aware that their account information could have been made public.”
While password hashing is a type of protective one-way encryption, Hausmann said hashed passwords can still be decrypted.
“After hashed passwords are decrypted, the passwords can be used to sign into affected accounts if the passwords were not already changed,” Hausmann said. “There is also the concern that the released e-mail addresses and passwords could be used to try and gain access into accounts unrelated to Chegg, including e-mail, social media and finance-related websites.”
Chegg users should respond to the breach by changing the passwords to any accounts that are potentially the same password associated with their Chegg account in April 2018, Hausmann said.
“If you don’t remember your April 2018 password for Chegg, changing your Saint Mary’s password or any other passwords not changed since last spring will help keep your personal information secure,” Hausmann said. “The best ways to protect your personal information in the case of a data breach beyond your control is to have a different password for every account that you access and to use complex passwords for all your accounts.”
