Educational technology company Chegg is resetting the passwords for 40 million of its users after news broke last week that the firm was breached in April of this year.
Company officials said the threat actors didn’t access financial or SSN data but said they but "may have" gained access to user data such as names, email addresses, shipping addresses, Chegg.com usernames, and Chegg.com hashed passwords, according to an SEC Form 8-K.
The firm didn’t specify which hashing algorithm was used which is important as some hashing algorithms are stronger than others although the firm did say the passwords weren’t stored in clear text.
“On September 19, 2018, Chegg learned that on or around April 29, 2018, an unauthorized party gained access to a Company database that hosts user data for chegg.com and certain of the Company’s family of brands such as EasyBib,” the report said.
Ryan Wilk, vice president of customer success for NuData Security, told SC Media making the information devalued after it is stolen should be a primary aim of online organizations.
“The problem is that, although discovered this month, it occurred in April of 2018 – so consumer passwords and information have been out on the market for almost six months,” Wilk said. “That means cybercriminals had enough time to test the passwords that customers might have used for other accounts so they can take over them.”He added that utilizing hundreds of identifiers allows companies to authenticate the real customer and block fraudsters without frustrating customers with multiple verification steps to verify their identity.