Chegg to reset passwords for 40 million users after April 2018 hack

Chegg says it discovered the hack last week and that hackers didn't access financial or SSN data.
Written by Catalin Cimpanu, Contributor

Chegg, a US-based education technology company based in Santa Clara, plans to reset passwords for over 40 million users following the discovery of a security incident dating back to this year's spring.

The company reported the hack in an 8-K form [1, 2] filed with the Securities and Exchange Commission (SEC) yesterday.

Also: Cheat sheet: How to become a cybersecurity pro TechRepublic

Chegg said it discovered the hack a week ago, on September 19, but that the intrusion dates back to April 29.

"An unauthorized party gained access to a Company database that hosts user data for chegg.com and certain of the Company's family of brands such as EasyBib," said Chegg in its SEC filing.

Also: Zaif cryptocurrency exchange loses $60 million in recent hack

An investigation is currently ongoing. Chegg said the hacker(s) "may have" gained access to user data such as names, email addresses, shipping addresses, Chegg.com usernames, and Chegg.com passwords.

The company said account passwords were protected by a hashing algorithm and were not stored in cleartext, albeit it did not mention which hashing algorithm. This is important as many of these algorithms can be broken and the passwords reverted to their plaintext forms.

Also: The best facial recognition cameras you can buy today CNET

Chegg said hacker(s) did not gain access to Social Security numbers nor financial information, such as payment card or bank account numbers.

The ed tech company said it plans to reset passwords and notify its userbase, estimated at over 40 million.

Also: Equifax just took another hit from that 2017 hack

Phil Hill, an ed tech consultant who first spotted the SEC form, confirmed that Chegg had not yet started the notification process today, a day after the 8-K filing.

"I get that the company needs to notify the SEC, being a publicly traded company, but they certainly are not notifying the public very well. Seems focus is on guidance for stock price, not transparency," said Hill.

Tech news site TechCrunch first broke the story, noting that Chegg's stock price went down 10 percent after news of the hack hit Wall Street.

Chegg was founded in 2005 and is largely known for its online tutoring and textbook rentals services offered through the chegg.com portal.

These are 2018's biggest hacks, leaks, and data breaches

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

FBI solves mystery surrounding 15-year-old Fruitfly Mac malware

Fruitfly malware author used port scanning with weak or no passwords to identify potential victims.

Meet Torii, a new IoT botnet far more sophisticated than Mirai variants

The evolving IoT botnet is able to compromise an impressive array of architectures.

Teenage Apple hacker avoids jail for 'hacky hack hack' attack

The self-proclaimed Apple fan stole roughly 90GB of confidential data from the iPad and iPhone maker.

Related stories:

Editorial standards