Chegg Data Breach
Chegg Online Education Platform Breach (2018): 39 Million Student Records Including Passwords & Home Address Exposed
Online education platform.
Risk Interpretation
Exposure enables phishing, account takeover, fraud, and academic-themed scams. Study patterns and school affiliation can also reveal age, educational status, and exam-related vulnerability.
Impact & Downstream Threats
In April 2018 Chegg suffered a breach affecting approximately 40 million subscriber records, exposing names, email addresses, usernames, passwords, phone numbers, and home addresses. The data was stored in an insecure manner — passwords were not adequately protected — which compounded the risk to affected users. Chegg notified users and required password resets. The FTC subsequently investigated and reached a settlement with Chegg in 2022, requiring the company to implement a security program, l
- Credential stuffing against reused passwords across other platforms
- SIM swap attacks where phone numbers are present
- Targeted phishing campaigns using exposed email addresses
- Doxxing risk from physical address exposure
Threat Vectors
Breach Intelligence
Executive Summary
Chegg, a U.S. education technology company serving millions of college students, suffered a data breach in April 2018 that exposed records tied to approximately 39.8 million user accounts. The breach stemmed from a misconfiguration that left subscriber data inadequately secured. No external attacker group has been publicly attributed. The exposed data included names, email addresses, usernames, and passwords. Passwords were stored as unsalted MD5 hashes, a weak and outdated format that makes them relatively easy to crack. A subset of records also contained phone numbers and home addresses. For students, those addresses were likely campus or school-year residences. The combination of crackable passwords and contact details creates serious risk of account takeover, phishing, and targeted scams that exploit academic context such as fake tutoring offers or financial aid fraud. The Federal Trade Commission investigated the breach and reached a settlement with Chegg in 2022, one of the few formal enforcement actions against an education technology company. Under the settlement, Chegg was required to implement a data security program, reduce the personal data it retains, and offer users multi-factor authentication. Chegg notified affected users and prompted password resets following the incident. People whose data was exposed should treat any associated passwords as compromised, particularly if those credentials were reused on other accounts.
About Chegg
Chegg is a U.S. education technology company offering textbook rental and sale services, homework help, tutoring, and a suite of online learning tools primarily targeting college students. The company is publicly traded on the NYSE and headquartered in Santa Clara, California. At its peak Chegg was one of the most widely used academic support platforms among U.S. undergraduates. Its business has faced significant disruption from AI-powered homework assistance tools.
Why They Hold Your Data
Education technology platforms collect student identity, emails, subscription records, coursework activity, study behavior, payment-adjacent data, and in some cases school-linked information.
Recent Developments
Chegg has been in significant financial difficulty following the emergence of AI-powered homework tools including ChatGPT, which directly displaced its core tutoring and homework help business. The company reported substantial revenue declines starting in 2023 and undertook major restructuring including workforce reductions. In 2024 Chegg considered a potential sale of the company as its stock price collapsed from earlier highs. Mathway, which Chegg acquired in 2020, has been caught in the same structural decline.
Data Points Exposed
Exposure Categories
Canonical Fields
email_address, full_name, password, phone_number, physical_address, physical_address:home, username
Dark Web Verification
- Dataset containing ~39.8M records identified in breach intelligence sources
- Data indexed and searchable across breach notification platforms
- Source: chegg.com-2018;Chegg Data Breach
Recommended Actions
⚠️ Do not assume this is low sensitivity.
Protect Yourself
Check If You’re Affected
Enter your email to check if your data appears in this breach.
Get Free Breach Alerts
Be the first to know when new breaches are disclosed.
High-Risk? Get an Exposure Audit
Full-spectrum exposure audits for executives and public figures.
ObscureIQ Advisory
We combine proprietary dark web access with commercial and restricted breach intelligence to verify exposure and assess real-world risk.
- A public-facing individual
- A high-profile executive
- A customer of Chegg
- Or concerned about credential reuse
Powered by the ObscureIQ Breach Intelligence Database
© 2026 ObscureIQ · All Rights Reserved · Data Licensing
Latest from ObscureIQ
What Is Credit Monitoring? And Do I Want It? (Answer: Not Really)
Lock Down Browsers. Wipe Employee Footprints. Win Breach Wars.
Sextortion Spam