TL;DR: Chegg’s April 2018 breach exposed data for more than 40 million users after a former contractor retained AWS root access without MFA, enabling exfiltration from S3 and weakly protected records, according to Unosecur. The case shows how shared root credentials, poor data protection, and thin monitoring turn an identity lapse into a large-scale breach.
NHIMG editorial — based on content published by Unosecur: Chegg Data Breach and the need for granular identity hygiene
By the numbers:
- Chegg Inc. faced a significant cybersecurity breach in April 2018, resulting in the exposure of sensitive data belonging to over 40 million users.
Questions worth separating out
Q: What fails when AWS root credentials are shared or retained after someone leaves?
A: Shared or retained root credentials break the basic assumption that privileged access is tied to an active, accountable operator.
Q: Why do cloud breaches get worse when MFA is missing on privileged accounts?
A: MFA removes the easiest path from stolen or retained credentials to live access.
Q: How can security teams know whether S3 access is crossing into exfiltration?
A: Look for unexpected bucket enumeration, spikes in object retrieval, and access patterns that do not match normal business activity.
Practitioner guidance
- Retire root access from routine operations Reserve AWS root for break-glass scenarios only, remove it from day-to-day administration, and track every place the credential is stored or recoverable.
- Enforce lifecycle offboarding for privileged cloud identities Tie contractor exit workflows to explicit credential revocation, session termination, and account closure so no administrative identity survives the business relationship.
- Require MFA on every high-privilege cloud account Block any privileged authentication path that relies on password-only or shared-root access, including emergency accounts and inherited admin roles.
What's in the full article
Unosecur's full article covers the operational detail this post intentionally leaves for the source:
- The article walks through the Chegg incident timeline and the specific AWS access misuse described in the breach narrative.
- It includes the FTC remediation context and the controls Chegg agreed to strengthen after the incident.
- It outlines Unosecur's detection approach for CloudTrail-style activity, S3 enumeration, and remediation workflows.
- It adds FAQ-style explanations of MFA, password hashing, Zero Trust, and JIT access in the context of the breach.
👉 Read Unosecur’s analysis of the Chegg breach and AWS root credential abuse →
Chegg breach and AWS root credentials: where IAM failed?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
Standing root access is a lifecycle failure, not just a permissions mistake. The Chegg breach worked because a former contractor retained AWS root credentials after the business relationship had changed. That is a joiner-mover-leaver failure in cloud identity form, and it shows how privileged access becomes dangerous when offboarding does not fully close the account.
A few things that frame the scale:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows how quickly one identity failure can cascade into repeated loss.
A question worth separating out:
Q: Who is accountable when a contractor still has privileged cloud access after departure?
A: Accountability sits with the team that owns identity lifecycle governance, not just the person who left. Offboarding must remove access, verify revocation, and confirm that break-glass paths are controlled. Frameworks such as OWASP Non-Human Identity Top 10 and NIST CSF both support that ownership model across privileged access, secrets, and cloud operations.
👉 Read our full editorial: Chegg breach shows why granular identity hygiene still fails