Homework help site Chegg accused of leaking user data

security
(Image credit: Shutterstock / Song_about_summer)

Homework help site Chegg has leaked sensitive consumer data on more than one occasion in previous years due to its below-par security, an official report has declared.

A post from the US Federal Trade Commission (FTC) claims Chegg leaked identity data on more than 40 million consumers, casting serious doubts over its cybersecurity practices.

The FTC claimed that Chegg could have avoided most of these problems had it simply followed the basics of securing sensitive data. What’s more, the company also did not properly monitor its networks for attempts at unauthorized access and data theft. 

Four major incidents

The FTC list of accusations includes the claims that Chegg didn’t require multi-factor authentication (MFA) for account access to its AWS S3 cloud databases, stored user and employee personal information in plain text, protected passwords with outdated cryptographic hash functions, did not provide adequate training for its employees and contractors, and did not set up processes for inventorying and deleting customer and employee data that was no longer needed.

All in all, the FTC listed four separate incidents: two involving the exposure of payroll information to scammers, one the leaking of sensitive material online and another where an executive’s email account was compromised. 

This included one where an employee fell for a phishing attack and gave someone access to the employees’ direct deposit payroll information, one where a former contractor who used Chegg’s AWS credentials to take sensitive material from one of its S3 databases and ultimately leak it online, one in which a phishing attack resulted in the compromise of an executive’s email inbox, and one in which a senior employee responsible for payroll gave an intruder access to the company’s payroll system.

As a result, the attacker stole W-2 information on some 700 current and former employees, including birthdates and Social Security numbers.

Chegg settled its case with the FTC by agreeing to comprehensively restructure its data protection practices. Among other things, the company will now follow a schedule for the personal data it collects, why it collects it, and when it will ultimately delete it.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A man looking at a tablet with a brown Best Buy package on the desk in front of him
Huge Christmas data breach - 14 million shipping records leaked, putting shoppers at risk
Someone holding a passport with two boarding passes inside it
Top digital loan firm security slip-up puts data of 36 million users at risk
Security padlock and circuit board to protect data
Foh&Boh data leak leaves millions of CVs exposed - KFS, Taco Bell, Nordstrom applicants at risk
Cartoon Phishing
One of the largest data leaks ever sees info on 1.5 billion people leaked online
Red padlock open on electric circuits network dark red background
Publishing giant Scholastic hit by hackers, data on 8 million people stolen
How to prevent cyberattacks
PowerSchool breach worse than thought, company says "all" student and teacher data accessed
Latest in Security
An American flag flying outside the US Capitol building against a blue sky
The FCC is creating a security council to bolster US defenses against cyberattacks
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
Ransomware
Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Meta warns of worrying security flaw hitting open source type software
Hand holding smartphone and scan fingerprint biometric identity for unlock her mobile phone
Biometrics add another layer of security to passwordless authentication
Data leak
Hacked Tata Technologies data leaked by ransomware gang
Latest in News
An image of the Samsung Galaxy S25 Ultra from a hands-on event
Samsung Galaxy S26 Ultra could resurrect an intriguing camera feature
Cristin Milioti in Black Mirror season 7
Netflix launches trailer for Black Mirror season 7, giving us a look at its first-ever sequel episode and an unexpected returning character
A graphic of the PC Gaming Show
Get ready for a bounty of PC games on June 8, as the PC Gaming show is back
A close up of The Daily podcast from Pocket Casts' web page
‘Podcasting shouldn’t be locked behind walled gardens’: Pocket Casts slams Spotify and makes its web player free to all
A smartphone on a sofa showing the WhatsApp, Telegram and Signal apps
Forget AI – WhatsApp is planning a simple messages feature that could be its most useful upgrade in years
NordicTrack Ultra 1
The new NordicTrack Ultra 1 treadmill looks like it was designed by an architect and costs $15,000