Re: Chegg Data Breach notification (Thanks to HIBP)

["Theodore J. August" <Theodore.August () SALVE EDU>]

RE: Algorithm used in Chegg data breach

The HIBP article regarding the Chegg breach mentioned that the passwords were unsalted MD5.  I have a limited knowledge 
of cryptography, but MD5 has been has been easily cracked with consumer level hardware since about 2012 (according to 
Wikipedia), so this list is probably is as good as plain text.  They were most likely decrypted into plain text many 
months ago.

Ted August
Salve Regina University

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Hagan, Sean" 
<sean.hagan () YC EDU>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Monday, September 23, 2019 at 3:51 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [EXTERNAL] Re: [SECURITY] Chegg Data Breach notification (Thanks to HIBP)

Robert – Thanks for the clarification, and I’m well aware of what Chegg is and that it is not our own breach.  We’ve 
been receiving HIBP alerts for at least two years now and it’s part of our formal IR process.  Again, knowing the 
password is not necessary, but it saves me considerable time and/or gives me much greater certainty during my triage 
and incident response process.

Basically:

IF breach announced for users in my domain AND breach includes passwords AND passwords are plaintext OR passwords are 
weakly hashed THEN force password change WHERE breach date >= last password change date.

Hopefully that makes sense.  Since this is a public list, I won’t go into details about anything else, but suffice it 
to say that general response above can have a very large user population in it.  Knowing the passwords means I can 
automatically exclude most of my users since our password complexity requirements tend to be far greater than those of 
most websites.  Not knowing the passwords means I’m left providing less than ideal options to my leadership on how to 
proceed (ignore it and hope the passwords weren’t valid, force password changes on several hundred accounts, etc.)

In the case of the Chegg breach, the passwords were hashed – not plaintext - and I think there’s enough evidence out 
there now to conclude that the hashed passwords have been cracked (or at least a large subset of them).  So hashing can 
be close to worthless depending on the algorithm used.



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Barton, Robert W.
Sent: Monday, September 23, 2019 12:34 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Chegg Data Breach notification (Thanks to HIBP)

I have not found a listing of the accounts (just the descriptions that HIBP gives) without hitting a questionable web 
site.

Please note, this is an outside exposure that is being disclosed; not a hack of your system…unless you are Chegg.  ☺  
I’m not sure where knowing the password is necessary.  If they have done their work in some areas, but not others, the 
site password should be a hash anyway and thus of limited (no) use.  Although, if the passwords are kept in a 
non-encrypted format, I can see where knowing what people are using for passwords could give you a good idea as to IF 
they are using good password hygiene/policy.  But, if you assume they are not, and use this as an educational 
opportunity anyway????

Robert W. Barton
Executive Director of Information Security and Policy
Lewis University
One University Parkway
Romeoville, IL  60446-2200
815-836-5663

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Hagan, Sean
Sent: Monday, September 23, 2019 1:50 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Chegg Data Breach notification (Thanks to HIBP)

I would be looking for the same as Garrett in any breach situation because my triage of an incident first involves 
determining scope.  Without access to the passwords, I have no idea if they meet complexity requirements or not, so I’m 
left making assumptions I’d rather not make.  With the passwords, I can quickly run them through some Excel filters to 
check length and complexity, and then test those that meet our criteria to see if they’re still valid.  Can usually 
reduce an incident involving potentially hundreds of accounts to just a handful.

So I see a lot of value in getting the dumps/raw passwords where possible.



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Frank Barton
Sent: Monday, September 23, 2019 9:48 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Chegg Data Breach notification (Thanks to HIBP)

I think Garrett is looking the the raw passwords, not just the list of users included. I'm also not sure why that 
information would be useful

HIBP is great for finding out when accounts are on lists, I'm not sure that I would want to have the passwords that 
were compromised. HIBP also has an API where passwords can be securely hashed and compared to check if they have been 
seen in any breach. (it doesn't specify exactly which breach it was found in, just that it is "out there somewhere"

Frank

On Mon, Sep 23, 2019 at 12:35 PM Jim A. Bole <jbole () stevenson edu<mailto:jbole () stevenson edu>> wrote:
Garrett,

Someone can sign up for your domain(s) on HIBP. Once you do you’ll get notifications as well as a dump of all accounts 
associated with your domain(s).

Jim Bole
Director of Information Security
Stevenson University
1525 Greenspring Valley Road
Stevenson, MD, 21153-0641
jbole () stevenson edu<mailto:jbole () stevenson edu> | O: 443-334-2696



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Garrett McManaway
Sent: Monday, September 23, 2019 11:52 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: Chegg Data Breach notification (Thanks to HIBP)
________________________________
Does anyone have the raw password dump or able to point me to where it exist?

Garrett McManaway
CISO & Sr. Director
C&IT - Information Security and Compliance
Wayne State University
Phone: 313-577-3454

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Frank Barton
Sent: Monday, September 23, 2019 9:21 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Chegg Data Breach notification (Thanks to HIBP)

Just to 'close the loop' on this, we're seeing so many attacks based on the chegg list right now that it isn't even 
funny. luckily many of them are failing, but we're seeing a good number of successful 'password reuse' attacks that we 
can confirm are linked directly to the chegg list.

Frank

On Fri, Aug 16, 2019 at 7:17 PM Joseph Tam <tam () math ubc ca<mailto:tam () math ubc ca>> wrote:
(Speaking as someone who deals with a few hundred, not a few thousand
accounts.)

Frank Barton <bartonf () HUSSON EDU<mailto:bartonf () HUSSON EDU>> writes:

> Are you notifying impacted users?

Yes.  I make reference to the most comprehensive sites I can find that
explain the data breach -- disturbingly, some vendors not very forthcoming
about it--  as well as general security advice on password diversifiction,
identity fraud, etc.

> Are you requiring a password reset for campus systems?

No.  Unless you have evidence that the same password is being used, I rely
on the recipient to judge for themselves what are appropriate actions.
Forcing people to change their password based on paranoia, like frequent
password rotation, is counterproductive.

Ken Connelly <ken.connelly () UNI EDU<mailto:ken.connelly () UNI EDU>> writes:

> For all similar reports that include a password in the
> stolen data, we send this message to the affected accounts.

These breaches leak all sorts of data, and hashed passwords may not be
as damaging as attempts at identity fraud, so I notify users about that
as well.

(In sig)
> Any request to divulge your UNI password via e-mail is fraudulent!

Most phish will try and instruct you to enter it into a web form,
but making this distinction in a short sig is doomed to failure.
Reducing security to a slogan is the opposite of what you want.

"Jim A. Bole" <jbole () STEVENSON EDU<mailto:jbole () STEVENSON EDU>> writes:

> We subscribe to 
> haveibeenpwned.com<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhaveibeenpwned.com&data=02%7C01%7Ctheodore.august%40SALVE.EDU%7Cc763304e6bdd441c0f8e08d7405f7185%7Cf0e0e20bdffd4b058c6c74ab98a56cd9%7C0%7C0%7C637048650998824720&sdata=hvbQKSXCisaMF%2FjS6HDYEX%2BJNKBLd776m60ERlSrSAs%3D&reserved=0>'s
>  domain search notification service. We=
> 've seen a steady increase in notifications around these types of services:
> -          Chegg
> -          Canva
> -          Adobe

I'm also subscribed there, and the recent spike in reported accounts
seems to be sourced from the same individual.  Apparently, this person
found a way to get a hold of a lot breached data.  (Maybe working
undercover?)

From:    Blake M Bourgeois <bbour53 () LSU EDU<mailto:bbour53 () LSU EDU>>

> For what it is worth, we saw the data in the breach being leveraged as
> early as May 2018 and were able to finally confirm that the large
> number of account compromises then were a result of this breach.

I've observed that these data leak notifications get less useful over
time.  Not only do many accounts go extinct (most of the accounts I
get notified about don't exist anymore), but action on earlier breach
notices also protect from some later breaches.  I see a lot of overlap
on accounts where the same user account shows up again and again.

These leaked credentials are exploited though: some of the frequently
reported leaked credentials also show up frequently in my auth failure
logs.

Joseph Tam <tam () math ubc ca<mailto:tam () math ubc ca>>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctheodore.august%40SALVE.EDU%7Cc763304e6bdd441c0f8e08d7405f7185%7Cf0e0e20bdffd4b058c6c74ab98a56cd9%7C0%7C0%7C637048650998834713&sdata=vbwyxinlxUI6SYKhaEngfDXbfv%2BlpWvF2Es9OQsaTrw%3D&reserved=0>


--
Frank Barton, MBA
Security+, ACMT, MCP
IT Systems Administrator
Husson University

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctheodore.august%40SALVE.EDU%7Cc763304e6bdd441c0f8e08d7405f7185%7Cf0e0e20bdffd4b058c6c74ab98a56cd9%7C0%7C0%7C637048650998834713&sdata=vbwyxinlxUI6SYKhaEngfDXbfv%2BlpWvF2Es9OQsaTrw%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctheodore.august%40SALVE.EDU%7Cc763304e6bdd441c0f8e08d7405f7185%7Cf0e0e20bdffd4b058c6c74ab98a56cd9%7C0%7C0%7C637048650998844709&sdata=8Vu%2Bvls491fPPVhDhyNmsFshRBrkfC0qgrM%2BgjI5%2Bic%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkprotect.cudasvc.com%2Furl%3Fa%3Dhttps%253a%252f%252fwww.educause.edu%252fcommunity%26c%3DE%2C1%2CaY3JtFYb_37LcvxsbXcs5PIG1LFzy19eUOLJVHba7ladP4orrc5kIpx9wEztIlzlDSroFnizCTDn4RRXVVYq5j1FVFDsSvJ1KkqS3adOEuqEKDc%2C%26typo%3D1&data=02%7C01%7Ctheodore.august%40SALVE.EDU%7Cc763304e6bdd441c0f8e08d7405f7185%7Cf0e0e20bdffd4b058c6c74ab98a56cd9%7C0%7C0%7C637048650998844709&sdata=gbUpS444BFHZDm1Q01AIs87rnjFfL1d7rlpaaPWpSig%3D&reserved=0>


--
Frank Barton, MBA
Security+, ACMT, MCP
IT Systems Administrator
Husson University

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkprotect.cudasvc.com%2Furl%3Fa%3Dhttps%253a%252f%252fwww.educause.edu%252fcommunity%26c%3DE%2C1%2CWOeoGBLdVa37fhC7WYzi62GZ45VfkXOPHOv9S3Itae2yCb2uqdgSoc4RLFhKfnPW7O3t14JC_dBqTJ88BTkP9a3L7FPvChuutcSS6eVEpz_wRpg%2C%26typo%3D1&data=02%7C01%7Ctheodore.august%40SALVE.EDU%7Cc763304e6bdd441c0f8e08d7405f7185%7Cf0e0e20bdffd4b058c6c74ab98a56cd9%7C0%7C0%7C637048650998854701&sdata=qWl0w%2B%2FN30bbsrMMrfEzpiafo%2FncYeMNbpcCzjglcP8%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkprotect.cudasvc.com%2Furl%3Fa%3Dhttps%253a%252f%252fwww.educause.edu%252fcommunity%26c%3DE%2C1%2CmJWUm6HUa9WDk6JWH3UI5-8-aKs-tuTbhBn8fAEYW-MAWqJJIhgipoAr1s77vgpp0DV9xiWMHqTO_Nd9RVYAd3owCayC3uGZ5go0CVHGcJzIPBATtIGd6hWhhXUo%26typo%3D1&data=02%7C01%7Ctheodore.august%40SALVE.EDU%7Cc763304e6bdd441c0f8e08d7405f7185%7Cf0e0e20bdffd4b058c6c74ab98a56cd9%7C0%7C0%7C637048650998854701&sdata=EsZaEkGWVtOBmwOXBBhOdm0xHX0AJ5t3g5fwV5c2SRM%3D&reserved=0>

This message (including any attachments) is intended only for the use of the individual or entity to which it is 
addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from 
disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you 
are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. 
If you have received this communication in error, notify us immediately by telephone at (815)-836-5950 and (i) destroy 
this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinkprotect.cudasvc.com%2Furl%3Fa%3Dhttps%253a%252f%252fwww.educause.edu%252fcommunity%26c%3DE%2C1%2CLrWoB9pJQt37BDX6kRgqZyHBBp1zPa7Qkodr3ATGSlt21_KsVW7oH_1k4ayNp4Si0773eFR53ydjYwKhPkADYyYWAsgOTbt3B_tDvPrDXxAQABNK3mI%2C%26typo%3D1&data=02%7C01%7Ctheodore.august%40SALVE.EDU%7Cc763304e6bdd441c0f8e08d7405f7185%7Cf0e0e20bdffd4b058c6c74ab98a56cd9%7C0%7C0%7C637048650998864709&sdata=MY9U%2F3eopP4JGkUUxSpF0PPmlIEZDKOFqCh50GBgH6Q%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctheodore.august%40SALVE.EDU%7Cc763304e6bdd441c0f8e08d7405f7185%7Cf0e0e20bdffd4b058c6c74ab98a56cd9%7C0%7C0%7C637048650998864709&sdata=5GtdGZZg6CXcTF2msgjKarLHzkypHG1NB4Hh29V9HNQ%3D&reserved=0>

*** This message was not sent from a Salve Regina University e-mail address. Please exercise caution when responding, 
clicking on links or opening attachments. ***

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community