Chegg breach and AWS root credentials: where IAM failed

TL;DR: Chegg’s April 2018 breach exposed data for more than 40 million users after a former contractor retained AWS root access without MFA, enabling exfiltration from S3 and weakly protected records, according to Unosecur. The case shows how shared root credentials, poor data protection, and thin monitoring turn an identity lapse into a large-scale breach.

NHIMG editorial — based on content published by Unosecur: Chegg Data Breach and the need for granular identity hygiene

By the numbers:

• Chegg Inc. faced a significant cybersecurity breach in April 2018, resulting in the exposure of sensitive data belonging to over 40 million users.

Questions worth separating out

Q: What fails when AWS root credentials are shared or retained after someone leaves?

A: Shared or retained root credentials break the basic assumption that privileged access is tied to an active, accountable operator.

Q: Why do cloud breaches get worse when MFA is missing on privileged accounts?

A: MFA removes the easiest path from stolen or retained credentials to live access.

Q: How can security teams know whether S3 access is crossing into exfiltration?

A: Look for unexpected bucket enumeration, spikes in object retrieval, and access patterns that do not match normal business activity.

Practitioner guidance

• Retire root access from routine operations Reserve AWS root for break-glass scenarios only, remove it from day-to-day administration, and track every place the credential is stored or recoverable.
• Enforce lifecycle offboarding for privileged cloud identities Tie contractor exit workflows to explicit credential revocation, session termination, and account closure so no administrative identity survives the business relationship.
• Require MFA on every high-privilege cloud account Block any privileged authentication path that relies on password-only or shared-root access, including emergency accounts and inherited admin roles.

What's in the full article

Unosecur's full article covers the operational detail this post intentionally leaves for the source:

• The article walks through the Chegg incident timeline and the specific AWS access misuse described in the breach narrative.
• It includes the FTC remediation context and the controls Chegg agreed to strengthen after the incident.
• It outlines Unosecur's detection approach for CloudTrail-style activity, S3 enumeration, and remediation workflows.
• It adds FAQ-style explanations of MFA, password hashing, Zero Trust, and JIT access in the context of the breach.

👉 Read Unosecur’s analysis of the Chegg breach and AWS root credential abuse →

Chegg breach and AWS root credentials: where IAM failed?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →