Chegg, an education technology company, reportedly suffered a massive data breach a few months ago.
The incident, however, remained hidden as the company didn’t notice the hack previously. Nonetheless, recently, an Education Technology Consultant and Tech Blogger, Phil Hill, stumbled upon an 8-K form filed with the SEC (Securities and Exchange Commission) that made him aware about the breach. He then broke the news in his tweet.
Phil Hill (@PhilOnEdTech)
“On September 19, 2018, Chegg learned that on or around April 29, 2018, an unauthorized party gained access to a Company database that hosts user data for chegg.com and certain of the Company’s family of brands such as EasyBib.”
Upon noticing the incident, Chegg began investigating the matter that revealed that the hackers might have accessed various customer details.
“The Company understands that the information that may have been obtained could include a Chegg user’s name, email address, shipping address, Chegg username, and hashed Chegg password.”
While the firm clearly states about hashed passwords, they didn’t mention any details about the hashing algorithm. Thus, the fear of breaking the hash to reveal plain-text passwords remains.
Financial Data Remained Safe –
As a limited sigh of relief, the company stated in the form that the financial details of customers remained safe. They also mentioned that the breach also did not affect customers’ Social Security numbers.
“To date, the Company understands that no social security numbers or financial information such as users’ credit card numbers or bank account information were obtained.”
Allegedly, the firm began reporting the affected users about the breach from September 26, 2018. The attack affected the company’s customer base of 40 million. Consequently, the company plans to reset all users’ passwords for security purposes. The investigations are still underway to find out more details about the matter.
The company went public in 2013, and is currently worth $3.3 billion. Chegg’s stock is down more than 10 percent a day after the breach was revealed.