Public Cloud Security Breaches Documenting their mistakes so you don't make them.

Chegg (2018)

Date Created: 2023-04-14 Post Author:   Juan Rodriguez-Cardenas
 AWS | S3 | Root | Shared Credentials | 

Incident Details

Victimized Company:Chegg Inc.
Incident Dates:2018-04-29 to 2023-01-26
Disclosure Date:2018-09-25
Current Status:Threat Actor Unknown

In April 2018, the educational platform Chegg Inc. suffered a breach leading to the exposure of sensitive data on over 40 million users. A former contractor used AWS root credentials to exfiltrate the data.

Incident

Details of the Incident

In April 2018, Chegg allowed a former contractor to retain access to their AWS Account using root credentials. No multi-factor authentication was enabled for the account. Additionally, Chegg neglected to encrypt employee and user information and used a weak hashing algorithm for the user passwords.

Using the AWS Root Credentials, the former contractor exfiltrated a database containing personal information of approximately 40 million users of the Chegg platform. The exposed personal information included the S3 User Data consisting of users’ email addresses, first and last names, passwords, and, for certain Chegg users, their Scholarship Search Data, consisting of their religious denomination, heritage, date of birth, parents’ income range, sexual orientation, and disabilities. … Had Chegg employed reasonable access controls and monitoring, it would have likely detected and/or stopped the attack more quickly.1

In September 2018, a threat intelligence vendor discovered an online forum containing 25 million user passwords in plain text. In response, Chegg required 40 million customers to reset their passwords.

Timeline

Date Event
April 29, 2018 A former contractor accessed one of Chegg’s AWS S3 buckets using Root Credentials.
April 29th, 2018 According to an FTC complaint, the former contractor exfiltrated a database containing the personal information of approximately 40 million users of the Chegg platform.
September 19th, 2018 Chegg is informed that exfiltrated data has been found in an online forum 2. Upon additional investigation, Chegg discovers over 25 million user passwords from the exfiltrated files had been cracked.
September 25th, 2018 Chegg notifies the SEC of the breach.
September 26th, 2018 Chegg notifies the public and its users of the data breach.
September 28th, 2018 Chegg required over 40 million users to reset their passwords.
September 11th, 2019 Class Action lawsuit filed against Chegg for the April 29th 2018 breach.
April 28th, 2020 Judge rules Chegg breach lawsuit must proceed to arbitration.
October 31st, 2022 FTC Files an Official complaint against Chegg over the 2018 breach and other breaches that happened in 2017, 2019, and 2020 via a phishing attack.
November 8th, 2022 A second class action lawsuit was filed against Chegg after the FTC accused the company of multiple cybersecurity faults that led to four data breaches between 2017-2020.
January 26th, 2023 The FTC and Chegg came to an agreement on an order that involved revamping their security practices, such as updating encryption and changing access controls. Chegg also changes their user data collection limits and how users can handle their own data.

Attribution / Perpetrator

According to the FTC Complaint1, an unnamed former contractor was responsible for using the root credentials to access the personal information.

Long-term impact

The FTC Ordered Chegg to implement a proper security program3, including training for all employees. Chegg must also offer MFA to all users4 and submit to regular third-party assessments5. The order also states that users must be allowed to access their own data and have the ability to delete their accounts when desired.

Summary of Coverage

Chegg: Letter of notice to Users - September 19, 2018
SEC: FORM 8‑K Disclosure of Security Event- September 25, 2018
Reuters: Judge orders Chegg Breach Cases sent to arbitration - April 18, 2020
Class Action: Class Action Lawsuit Keller vs Chegg - November 8, 2022
FTC: Official Complaint against Chegg Inc - October 31, 2022
New York Times: Chegg Statement to the New York Times - October 31, 2022
FTC: Final Decision on Chegg Breaches - January 26, 2023
FTC: Official Press Release - January 27, 2023

Cloud Security lessons learned.

The cloud security issues outlined here were part of the FTC’s complaint against Chegg (Paragraph 9, pg2-3):

  • Chegg did not issue individual access credentials to each employee. All employees and contractors used the same shared set of credentials.
  • Chegg did not use IAM for access to their customer data in S3, instead, they used the root account which has been against AWS best practices for several years prior to the Chegg breach.
  • Chegg did not require MFA on the root AWS account.
  • Chegg did not rotate access keys for access to S3.
  • Chegg “failed to adequately monitor its networks and systems for unauthorized attempts to transfer or exfiltrate users’ and employees’ personal information”.

  1. FTC Complaint Paragraph 12, pg 2 ↩︎ ↩︎

  2. FTC Complaint Paragraph 13, pg 2 ↩︎

  3. FTC Decision and Order Section V, pg 5 ↩︎

  4. FTC Decision and Order Section III, pg 5 ↩︎

  5. FTC Decision and Order Section VI, pg 8-10 ↩︎