Chegg, a US-based education technology company based in Santa Clara, plans to reset passwords for over 40 million users following the discovery of a security incident dating back to this year's spring.
Also: Cheat sheet: How to become a cybersecurity pro TechRepublic
Chegg said it discovered the hack a week ago, on September 19, but that the intrusion dates back to April 29.
"An unauthorized party gained access to a Company database that hosts user data for chegg.com and certain of the Company's family of brands such as EasyBib," said Chegg in its SEC filing.
An investigation is currently ongoing. Chegg said the hacker(s) "may have" gained access to user data such as names, email addresses, shipping addresses, Chegg.com usernames, and Chegg.com passwords.
The company said account passwords were protected by a hashing algorithm and were not stored in cleartext, albeit it did not mention which hashing algorithm. This is important as many of these algorithms can be broken and the passwords reverted to their plaintext forms.
Chegg said hacker(s) did not gain access to Social Security numbers nor financial information, such as payment card or bank account numbers.
The ed tech company said it plans to reset passwords and notify its userbase, estimated at over 40 million.
Phil Hill, an ed tech consultant who first spotted the SEC form, confirmed that Chegg had not yet started the notification process today, a day after the 8-K filing.
"I get that the company needs to notify the SEC, being a publicly traded company, but they certainly are not notifying the public very well. Seems focus is on guidance for stock price, not transparency," said Hill.
Tech news site TechCrunch first broke the story, noting that Chegg's stock price went down 10 percent after news of the hack hit Wall Street.
Chegg was founded in 2005 and is largely known for its online tutoring and textbook rentals services offered through the chegg.com portal.
Previous and related coverage:
Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.
This simple advice will help to protect you against hackers and government surveillance.
Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.
Fruitfly malware author used port scanning with weak or no passwords to identify potential victims.
The evolving IoT botnet is able to compromise an impressive array of architectures.
The self-proclaimed Apple fan stole roughly 90GB of confidential data from the iPad and iPhone maker.
- NSA says searches of Americans' data spiked in 2017
- Pennsylvania Senate Democrats paid $700,000 to recover from ransomware attack
- Man gets two years in prison for sabotaging US Army servers with 'logic bomb'
- What technical skills is NSA looking for?
- Why the 'fixed' Windows EternalBlue exploit won't die
- Remove yourself from people search sites and erase your online presence
- Google secretly logs users into Chrome whenever they log into a Google site
- Python is a hit with hackers, report finds
- Data firm leaks 48 million user profiles it scraped from Facebook, LinkedIn, others
- Port of San Diego suffers cyber-attack, second port in a week after Barcelona
- Nasty piece of CSS code crashes and restarts iPhones
- FragmentSmack vulnerability also affects Windows, but Microsoft patched it
- Data breaches affect stock performance in the long run, study finds
- Hackers swipe card numbers from local government payment portals
- Chinese police arrest hacker who sold data of millions of hotel guests on the dark web
- Access to over 3,000 backdoored sites sold on Russian hacking forum
- Broadcaster ABS-CBN customer data stolen, sent to Russian servers
- 'Hacky hack hack': Teen arrested for breaking into Apple's network TechRepublic