Skip to main content
Image

An easy step can help protect your online accounts from hackers. Whenever you can, make sure your accounts ask for two credentials to verify your identity when you log in. It’s called multifactor, or two-factor, authentication. The protection is so powerful that the FTC insisted that Chegg, Inc., offer it to users of its online educational services as part of a settlement of an FTC data breach case against it.

According to the FTC, Chegg didn’t use reasonable security measures to protect the personal information of its users — mostly high school and college students — and employees. An FTC complaint charges that Chegg’s lax security resulted in four data breaches from 2017-2020.

One breach, in 2018, exposed 40 million users’ names, email addresses, passwords and, for some, their religion, heritage, date of birth, sexual orientation, disabilities, and parents’ income range, the FTC says. Other breaches exposed employees’ financial, medical, and W-2 information, including birthdates and Social Security numbers. The FTC says that Chegg repeatedly failed to fix the data security problems the breaches revealed, resulting in further breaches.

Under an FTC settlement, Chegg must take steps including offering users multifactor authentication options to secure their accounts. With multifactor authentication, you need a credential, or “factor,” beyond your password or PIN to log into your account. The factor can be something you have, like a one-time verification passcode you get from a security key or by text, email, or from an authenticator app. Or, it can be something you are, like your fingerprint, your face, or your retina.

With multifactor authentication, even if a hacker knows your username and password, they can’t log in to your account without the second credential, making your account far more secure than it would be with just a password for protection.

Under the settlement, Chegg also must put a comprehensive data security program into place, minimize the personal data it collects, and let users delete certain personal information from Chegg’s files.

Learn how to turn on multifactor authentication and other ways to secure your account on our website.

DB- PHX, AZ
November 02, 2022

TFA should be a regulatory requirement for any database management offerings, including any government or agency collecting PHI or licensing body, any internet commerce site which captures & stores sales data, reference data libraries or cloud based data storage server farms.

KH ALABAMA
November 04, 2022

In reply to by DB- PHX, AZ

Agreed, regulatory requirements are needed in any such offering!

kyanite
November 03, 2022

When will it become possible for people injured the way that everyone who dealt w/Chegg and is now very vulnerable to identity theft (which can cost up to $50,000 to deal w/the harm resulting from ID theft) to obtain monetary compensation, including compensation for potential job & money difficulties as a likely result of Chegg's negligence? Security breaches are very frequent, and so often because a large corporation (that undoubtedly pays huge compensation packages to upper management) didn't install a security patch--up to a year after it was issued--or other act of carelessnes in protecting client/customer confidential information. Yet nothing that would actually DETER future breaches happens. Just a slap on the wrist, bad boys! (or girls) Don't do it again! instead the FTC puts the burden on the victims, those least able to really protect their data once they've provided it. "Use 2 factor authentication" (assuming it's even available at that data collector's site!). No compensation to those who may spends hundreds or thousands of dollars to deal w/the consequences of corporate negligence.

Tired of an agency whose actions are so protective of corporate profits.