Chegg security breach exposes 130 Rice accounts

By Amy Qin     10/1/19 9:59pm

Over 130 Rice accounts had their email addresses and passwords exposed as part of a breach that swept Chegg, a textbook rental and homework help company, over a year ago, according to Marc Scarborough, chief information security officer at the Office of Information Technology.

Chegg disclosed a security breach affecting its approximately 40 million accounts on Sept. 25, 2018, according to CNBC. Of those 40 million breached accounts, 1,976 were registered with a Rice email address, and of those 1,976, more than 130 used a Rice NetID password on the Chegg site, according to Scarborough.

Scarborough said the Information Security Office subscribes to an intelligence and threat sharing service that notified them on Aug. 16 that information from 1,976 Rice email addresses had been stolen from Chegg and posted online.

---

---

Scarborough said the effects seen by students with affected accounts as a result of the breach were minimal.

“If the student used the Chegg service with their Rice email address and actual Rice NetID password, instead of using a unique one for the non-Rice service, then attackers attempted to use their exposed passwords to send spam,” Scarborough said. “We are not aware of other fraudulent uses of their passwords.”

Scarborough said the OIT checked the 130 breached passwords to see if any were currently in use in Rice’s system; if they were, the OIT locked the accounts.

Q Tabarestani, a Hanszen College senior, said he received an email from Rice last week regarding the security breach telling him to change his NetID password.

“The email itself seemed a little sketchy since it was sent twice, the first time just containing a bunch of coding gibberish,” Tabarestani said. “I thought the email from Rice was also a phishing scheme so I did not change my password.”

When he could not log into his Canvas or email the next afternoon, Tabarestani said he “freaked out” and contacted Hanna Gratch, the OIT ambassador at Hanszen. Gratch’s boss informed Tabarestani that the OIT had locked his accounts under the suspicion that they had been hacked.

Tabarestani said the OIT was very helpful in unlocking his accounts when he visited them the next morning but that he wished they would notify students when they locked accounts.

“Overall, the experience was very nerve-wracking, especially during the period where I could not contact anyone from the office,” Tabarestani said. 

Daniel Pham, a McMurtry College senior, said he discovered he was part of the security breach after he reached out to the OIT when he could not log into his Google Calendar. He said that having his account locked was inconvenient but overall was “not a big deal.”

“It was just annoying because I was waiting on a job offer, and I couldn’t check my email or do my homework in Canvas,” Pham said.

According to Scarborough, affected students should change the passwords they used for their Chegg accounts everywhere else they used it, or else they could continue to be affected by the breach.

“Do not use your Rice email address and Rice password to create accounts on non-Rice services like Chegg, Instagram, Amazon, etc.,” Scarborough said. “Those that created a new password for their Chegg account were not affected.  Password managers, such as 1Password and LastPass, are helpful in managing multiple passwords.”

---