Skip to main content
Image
Image with three icons: a face photo, a fingerprint, and a password. The copy says to help protect against hackers, "use multifactor authentication for added online security."

An easy step can help protect your online accounts from hackers. Whenever you can, make sure your accounts ask for two credentials to verify your identity when you log in. It’s called multifactor, or two-factor, authentication. The protection is so powerful that the FTC insisted that Chegg, Inc., offer it to users of its online educational services as part of a settlement of an FTC data breach case against it.

According to the FTC, Chegg didn’t use reasonable security measures to protect the personal information of its users — mostly high school and college students — and employees. An FTC complaint charges that Chegg’s lax security resulted in four data breaches from 2017-2020.

One breach, in 2018, exposed 40 million users’ names, email addresses, passwords and, for some, their religion, heritage, date of birth, sexual orientation, disabilities, and parents’ income range, the FTC says. Other breaches exposed employees’ financial, medical, and W-2 information, including birthdates and Social Security numbers. The FTC says that Chegg repeatedly failed to fix the data security problems the breaches revealed, resulting in further breaches.

Under an FTC settlement, Chegg must take steps including offering users multifactor authentication options to secure their accounts. With multifactor authentication, you need a credential, or “factor,” beyond your password or PIN to log into your account. The factor can be something you have, like a one-time verification passcode you get from a security key or by text, email, or from an authenticator app. Or, it can be something you are, like your fingerprint, your face, or your retina.

With multifactor authentication, even if a hacker knows your username and password, they can’t log in to your account without the second credential, making your account far more secure than it would be with just a password for protection.

Under the settlement, Chegg also must put a comprehensive data security program into place, minimize the personal data it collects, and let users delete certain personal information from Chegg’s files.

Learn how to turn on multifactor authentication and other ways to secure your account on our website.

4 Comments


It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.

DB- PHX, AZ
November 02, 2022

TFA should be a regulatory requirement for any database management offerings, including any government or agency collecting PHI or licensing body, any internet commerce site which captures & stores sales data, reference data libraries or cloud based data storage server farms.

KH ALABAMA
November 04, 2022

In reply to by DB- PHX, AZ

Agreed, regulatory requirements are needed in any such offering!

kyanite
November 03, 2022

When will it become possible for people injured the way that everyone who dealt w/Chegg and is now very vulnerable to identity theft (which can cost up to $50,000 to deal w/the harm resulting from ID theft) to obtain monetary compensation, including compensation for potential job & money difficulties as a likely result of Chegg's negligence? Security breaches are very frequent, and so often because a large corporation (that undoubtedly pays huge compensation packages to upper management) didn't install a security patch--up to a year after it was issued--or other act of carelessnes in protecting client/customer confidential information. Yet nothing that would actually DETER future breaches happens. Just a slap on the wrist, bad boys! (or girls) Don't do it again! instead the FTC puts the burden on the victims, those least able to really protect their data once they've provided it. "Use 2 factor authentication" (assuming it's even available at that data collector's site!). No compensation to those who may spends hundreds or thousands of dollars to deal w/the consequences of corporate negligence.

Tired of an agency whose actions are so protective of corporate profits.