1(630)802-8605 Ravi.das@bn-inc.net

It appears that the some of the favored targets for the Cyber attacker now appear to be educational institutions and even non-profit organizations here in the United States.  But it is not just these entities that are risk, any other business or corporation that even is a vendor for them is also at risk of being hacked into.

Such is the case with Chegg, an educational technology firm that is based out of Santa Clara, California.  The company originally started out as a place where students could buy and rent textbooks from, but in recent years, they have greatly expanded their business model to include the following services:

*Online homework help;

*Online tutoring;

*Offering scholarships to qualified candidates;

*Help in finding internships in between to the school years so that the candidate can gain valuable job experience;

*Test Preparation;

*Writing services.

The name “Chegg” is actually a play on the words “Chicken” and “Egg” (meaning you can’t find a job without experience, but can’t gain experience without having a job).  The company was actually created by three former Iowa State University students back in 2001, but was officially founded by Aayush Phumbra.  They have total assets of almost $500 Million, have Revenues of $255 Million, but have reported net loss so far of -20 Million.

Because of the wide array of services that they offer one could safely assume that they have a reasonably large customer base, and in fact, they do.  That is why the Cyber attacker(s) went after this company, because possess a treasure trove of information and data about the students that make use of their products and services.

In one fell swoop, the Cyber attacker(s) was able to garner the username and password combinations of some 40,000,000 Chegg accounts.  That is indeed a huge and staggering and number, and in fact, I would even venture to say that this is the largest hack even I have written about.  The compromised data included the following:

*The names of the students;

*Their E-Mail addresses;

*Their shipping addresses;

*Their encrypted passwords.

It should be noted that it was the actual IT Infrastructure of Chegg that was hit, rather it was the Cloud Provider that hosted the password databases for Chegg that was hacked into.  All of this actually occurred way back April of this year, but did not actually discover this massive Security breach until September 19th. Once it was discovered, Chegg immediately notified the United States Securities and Exchange Commission (SEC).

There were other components of the Chegg brand that were severely impacted as well, such as Easy Bib.

My thoughts on this?

Well first and foremost, why in heck did it take it take this company so long to discover that they were the victim of a Cyber-attack?  I mean a few days or even a week is one thing, but six months?  That is totally reprehensible on the part of Chegg, and complexly inexcusable.  There are students whom hardly have any assets that are depending on this organization so that they can finish up their degree and try to land a decent job.

Now, with their passwords compromised as well as the long-time gap, who knows what further damage could have been done.  It is quite possible that even cases of Identity Theft could have been launched at these students, so it is absolutely imperative that their get a copy of their credit reports and examine them closely.  They should also check all credit card and banking statements as well.

Keep in mind though, even though the database that hosted these username and password combinations were trusted to a third-party vendor, Chegg is still ultimately responsible, and they should be held responsible to the full penalties that the law allows for currently.  I mean 40,000,000 passwords stolen and nobody noticed it until now?  What a joke on their IT Staff.

But luckily enough, there were no Social Security numbers that were stolen.  The day that this Security breach was announced, the stock of Chegg fell more than by 12%.  You can see this in the chart below, right at the very end:

(SOURCE:  https://www.nasdaq.com/symbol/chgg/stock-report)

Educational institutions and their vendors will continue to be a prime target for the Cyber attacker, and on even growing basis as well.  Why?  Because these entities have no choice but to give in, or pay up in case of a Ransomware attack. Many of these places are highly dependent upon state funding to keep their IT Infrastructures modern and up to date, and many of them are not, thus making it easy to get confidential information and data not just on the students themselves, but also the faculty and staff as well.

So, what is Chegg going to do help the victims out?  Reset their password.  In today’s times, it costs at least $300 for a business to reset one password.  So just do the math:

40,000,000 X $300 = $12,000,000,000

Yes, that is how much it could potentially cost Chegg.  But simply resetting a password as a means of preventative Security is yet another joke as well, which will be addressed in a later blog.  For now, just try to digest these staggering numbers.