2019-09-26: Chegg data breach and New Paltz accounts

There was a data breach of the textbook rental site, Chegg.  Chegg is not directly affiliated with SUNY New Paltz, and this is not a breach of New Paltz systems - but because of how many students use it - we wanted to send out an advisory.

There been a number of student accounts compromised in the past week.  We have strong reason to believe that these compromises are based on the Chegg data breach (and people who used the same password at New Paltz and on Chegg).

Chegg data breach & forced password changes via my.newpaltz.edu

New Paltz was able to obtain a list of New Paltz users who were part of the data breach.  We took the step to require a password change (next time anyone impacted logs into my.newpaltz.edu) for any user listed in that data breach (or some other publicly listed data breaches).


How can I find out if I was part of this breach, or other data breaches

There’s a third-party website that we recommend called HaveIBeenPwned.com.  This is a site run by a Microsoft engineer which tracks users who are impacted by data breaches.  It does not include all data breaches, but does include those where the compromised data has been shared with this site.  You can use this site to look up any past data breaches your email address was impacted by, as well as what was taken from each of those breaches.

Out of abundance of caution, New Paltz ITS made the decision to require a password change for any New Paltz accounts which were listed on this site (not just the Chegg breach, but other data breaches as well).  This is why some students who did not have Chegg accounts are seeing that my.newpaltz.edu is asking them to change their passwords.


General online safety and security tips

We’re including some quick tips which you can use to help protect yourself online. 

  • Use a different password for each site – especially the most high value targets for cyber criminals (especially accounts on email, social media, and banking).  Consider using a password manager (1Password, Dashlane, Keepass, LastPass, etc.) to create and store a unique password per site.  Reusing passwords means that if a single site where you use your password is compromised – then all other sites where you use the same password can be vulnerable.
  • Review application access on social media sites and email accounts.  What applications have you previously given access to your account – and what level of access have you given?
  • Consider the permissions requested by apps on your phone before installing.  Does your flashlight app really need access to your location and camera?  Why does a VPN app need access to your microphone?
  • Look into multi-factor authentication (MFA), also referred to as two-step authentication.  It is when you use an app, hardware token, or text message, in addition to your password, to verify your identity.  It is a strong protection against cybercriminals.
    • Note: New Paltz is rolling out MFA via a service called Duo to all faculty/staff.  We are investigating when we can launch this for students, stay tuned!

Keep an eye out for future updates.  We’ll be going into more detail in October, National Cyber Security Awareness Month, on these topics, and additional ways to stay safe online.


Article ID: 87706
Wed 9/25/19 3:07 PM
Thu 10/17/19 10:59 AM