What happened
According to public breach records, the Chegg data breach on April 28, 2018 is reported to have exposed the personal information of 39,721,127 accounts.
In April 2018, the textbook rental service Chegg suffered a data breach that impacted 40 million subscribers. The exposed data included email addresses, usernames, names and passwords stored as unsalted MD5 hashes. A small number of records also contained physical address or phone number.
Passwords in this breach were reportedly stored as MD5 hashes.
In April 2018 an unauthorized party accessed a Chegg database covering chegg.com and related brands such as EasyBib; per the FTC, a former contractor retained the company's AWS root credentials (no multi-factor authentication enabled) and used them to exfiltrate a database of roughly 40 million users' personal information. Chegg did not learn of the breach until September 2018, when a third party flagged it and threat-intelligence researchers found exposed user credentials circulating online, prompting the company to notify the SEC on September 25 and the public on September 26, 2018. Exposed fields included names, email addresses, usernames, shipping/physical addresses, and hashed passwords; Chegg stated no Social Security numbers or financial account data were taken, and it force-reset passwords for all affected users.
What data was exposed
The following types of personal data were compromised:
- Email addresses
- Names
- Passwords
- Phone numbers
- Physical addresses
- Usernames
Breach details
| Detail | Value |
|---|---|
| Breach name | Chegg |
| Date | April 28, 2018 |
| Accounts affected | 39,721,127 |
| Domain | chegg.com |
This summary is compiled from public breach-notification data and known leak databases. Figures reflect what those sources report and may be revised as more is learned. If something here looks wrong or you think your information is involved, contact our support team.
We report breaches as a factual record to help people check their exposure. Inclusion here is not an allegation of wrongdoing or negligence by Chegg; it reflects a publicly reported security incident.
What to do now
Based on the data exposed in this breach, here are the steps you should take:
- Change your Chegg password immediately if you haven't since 2018, and change it anywhere else you reused that same password, since hashed credentials from this set were cracked and circulated.
- Turn on two-factor authentication on your Chegg account and any account that shared the breached password, so a stolen password alone can't grant access.
- Treat unexpected emails, texts, or calls referencing Chegg, scholarships, or coursework as potential phishing, since exposed names, emails, phone numbers, and addresses make targeted scams more convincing.
- Use a unique, randomly generated password per site (a password manager helps) so a future leak of one credential can't unlock your other accounts.
Check your exposure
Data breaches are one of the ways your personal information ends up on data broker sites. Run a free scan to see which sites are exposing your personal data — and take action to remove it.
Sources
- Chegg (2018) – Public Cloud Security Breaches (FTC-cited)
- Chegg Resets Passwords After Data Breach That Affected 40 Million Users
Find out what data brokers know about you
Run a free scan to see which sites are exposing your personal information — name, phone, address, email, and more.
Start your free scan →