Chegg Data Breach and the need for granular identity hygiene

Chegg Inc., a prominent educational platform, faced a significant cybersecurity breach in April 2018, resulting in the exposure of sensitive data belonging to over 40 million users. The breach, perpetrated by a former contractor who used AWS root credentials to exfiltrate the data. 

‍

Incident Details

In April 2018, Chegg inadvertently allowed a former contractor to retain access to their AWS account using root credentials, without implementing multi-factor authentication (MFA) which were against aws best practices. This oversight, coupled with the absence of encryption for employee and user information and the use of weak password hashing algorithms, facilitated the exfiltration of a database containing personal data of millions of users.

Chegg relies on S3 buckets to store a wide variety of files that contain users’ sensitive personal information, including their names, passwords, dates of birth, and Scholarship Search Data (collectively, the “S3 User Data”). Hence Large no of S3 api calls were made during the Incident. It could have been mitigated or detected earlier with proper access controls and monitoring practices in place.

‍

Federal Trade Commission Impact and Remediation Steps

FTC claimed across all the breaches, Chegg’s insufficient cybersecurity practices resulted in exposing data for approximately 40 million users. Chegg did agree to honor a proposed order from the FTC to improve its data security, which will see the company implement multi factor authentication, have threat monitoring and detection systems in place, encrypt user data, and allow customers to access and delete their data from the platform.

“Chegg took shortcuts with millions of students’ sensitive information,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Today’s order requires the company to strengthen security safeguards, offer consumers an easy way to delete their data, and limit information collection on the front end. The Commission will continue to act aggressively to protect personal data.”

‍

How Unosecur could have detected the threat at an early stage and prevented data exfiltration of millions of Users

Unosecur, an Identity Threat Detection and Response system, can provide capability in  preventing and mitigating ongoing threats in your cloud environments. It monitors AWS Cloud rail logs in real time and detects malicious activity based on the MITRE Attack framework while also providing remediation's in order to mitigate the threats. It provides alerts based on suspicious activities such as unexpected bucket listings, unusual data retrieval, tampering security controls like security hub and config, etc. Real-time notifications facilitate immediate investigation and remediation, supported by detailed audit logs for post-incident analysis.

As Chegg mentioned, "Had Chegg employed reasonable access controls and monitoring, it would have likely detected and/or stopped the attack more quickly." And here, Unosecur serves as the adequate monitoring solution, offering step-by-step remediation for ongoing threats in order to stop them to prevent massive loss. 

‍

Conclusion

The Chegg data breach which resulted in exposure of sensitive data belonging to over 40 million users reminds us of the importance of threat monitoring and remediation mechanisms and adherence to AWS best practices. Organizations must implement strong access controls using IAM, securely manage credentials and encrypt their data at rest and transit. Providing comprehensive security training to employees and conducting Aws security assessments by vendors helps secure the cloud infrastructure. 

Unosecur’s ITDR can help detect malicious activities like enumeration i.e. listing down the buckets and exfiltration activities at early stages by alerting the team in real time along with remediation steps to contain or eradicate the malicious actor. Unosecur also highlights the best practices which adheres to aws security. Detailed audit logs support post-incident analysis to determine the extent and consequences of the breach is just one of the helpful features of Unosecur for forensic use.