Chegg 2018 Data Breach

Chegg Online Education Platform Breach (2018): 39 Million Student Records Including Passwords & Home Address Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

MisconfigurationEducationEmail AddressFull NamePasswordPhone NumberPhysical AddressUsername
Low SeverityWebsite / service breach

Chegg Online Education Platform Breach (2018): 39 Million Student Records Including Passwords & Home Address Exposed

Online education platform.

Verified by ObscureIQ Intelligence
34/100Breach Risk Index
10Data Value
25Market Recency
512dSince Breach

Breach Intelligence Summary

Entity: Chegg · Actor: Unknown · Sources: 7 references
Attack: Misconfiguration
Profile: Company · Education technology services · Subscription-based learning platform · USA / Global
Timeline: Breach (2018-04-28) · Indexed (Dec 01, 2024) · Year (2018)
Exposure: 39.8M records · 6 fields: Email Address, Full Name, Password, Phone Number, Physical Address, Username
Status: Confirmed

Executive Summary

Chegg, a U.S. education technology company serving millions of college students, suffered a data breach in April 2018 that exposed records tied to approximately 39.8 million user accounts. The breach stemmed from a misconfiguration that left subscriber data inadequately secured. No external attacker group has been publicly attributed. The exposed data included names, email addresses, usernames, and passwords. Passwords were stored as unsalted MD5 hashes, a weak and outdated format that makes them relatively easy to crack. A subset of records also contained phone numbers and home addresses. For students, those addresses were likely campus or school-year residences. The combination of crackable passwords and contact details creates serious risk of account takeover, phishing, and targeted scams that exploit academic context such as fake tutoring offers or financial aid fraud. The Federal Trade Commission investigated the breach and reached a settlement with Chegg in 2022, one of the few formal enforcement actions against an education technology company. Under the settlement, Chegg was required to implement a data security program, reduce the personal data it retains, and offer users multi-factor authentication. Chegg notified affected users and prompted password resets following the incident. People whose data was exposed should treat any associated passwords as compromised, particularly if those credentials were reused on other accounts.

ObscureIQ assessment: Exposure enables phishing, account takeover, fraud, and academic-themed scams. Study patterns and school affiliation can also reveal age, educational status, and exam-related vulnerability.

Breach Impact

In April 2018 Chegg suffered a breach affecting approximately 40 million subscriber records, exposing names, email addresses, usernames, passwords, phone numbers, and home addresses. The data was stored in an insecure manner — passwords were not adequately protected — which compounded the risk to affected users. Chegg notified users and required password resets. The FTC subsequently investigated and reached a settlement with Chegg in 2022, requiring the company to implement a security program, limit data collection, and provide users with multi-factor authentication options — one of the few EdTech breach-related FTC enforcement actions on record.

About Chegg

Chegg is a U.S. education technology company offering textbook rental and sale services, homework help, tutoring, and a suite of online learning tools primarily targeting college students. The company is publicly traded on the NYSE and headquartered in Santa Clara, California. At its peak Chegg was one of the most widely used academic support platforms among U.S. undergraduates. Its business has faced significant disruption from AI-powered homework assistance tools.

Why They Hold Your Data

Education technology platforms collect student identity, emails, subscription records, coursework activity, study behavior, payment-adjacent data, and in some cases school-linked information.

Recent Developments

Chegg has been in significant financial difficulty following the emergence of AI-powered homework tools including ChatGPT, which directly displaced its core tutoring and homework help business. The company reported substantial revenue declines starting in 2023 and undertook major restructuring including workforce reductions. In 2024 Chegg considered a potential sale of the company as its stock price collapsed from earlier highs. Mathway, which Chegg acquired in 2020, has been caught in the same structural decline.

Data Points Exposed

6 verified field types
Email Address
Full Name High
Password Critical
Phone Number
Physical Address High
Username

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:Critical
Primary downstream threats:
  • Credential stuffing against reused passwords across other platforms
  • SIM swap attacks where phone numbers are present
  • Targeted phishing campaigns using exposed email addresses
  • Doxxing risk from physical address exposure
Threat vectors:
  • Phishing, credential stuffing & account takeover
  • Name-based social engineering
  • Credential stuffing & account takeover
  • SIM swapping, vishing & SMS phishing
  • Physical stalking, mail fraud & identity verification
  • Home targeting, stalking & physical threat
  • Cross-platform tracking & credential stuffing

Recommended Actions

If you believe your information may be included:

Change Reused Passwords
Update this account and anywhere you reused the password; use a manager.
Password manager guide
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the Chegg breach?

Chegg, a U.S. education technology company serving millions of college students, suffered a data breach in April 2018 that exposed records tied to approximately 39.8 million user accounts. The breach stemmed from a misconfiguration that left subscriber data inadequately secured. No external…

What data was exposed?

Verified fields include Email Address, Full Name, Password, Phone Number, Physical Address, Username.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
DataBreach.com
Record & field corroboration
Breach Index
Have I Been Pwned
Record & field corroboration
Cross-source
9ghz
Independent catalogue listing
Cross-source
BreachForums_Official_Index
Independent catalogue listing
Cross-source
Dehashed
Independent catalogue listing
Cross-source
leakfind
Independent catalogue listing
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation