Over 1,000 Boston University students were forced to change their account passwords after BU servers were flooded with spam emails from student accounts in late September, university officials said. The spam is believed to be a result of a 2018 breach of the educational site Chegg.
Eric Jacobsen, executive director of Information Security at BU, wrote in an email that student accounts that displayed spam activity were temporarily disabled and the students were forced to change their passwords as a means of resecuring their accounts.
“In terms of the breach itself, Boston University cannot know which passwords have been reused with which sites,” Jacobsen wrote. “We became aware of the scope of this problem on September 20th when our email servers were inundated with unsolicited bulk email, often called ‘spam,’ from approximately 1,100 accounts.”
Jacobsen said his team used the “Have I Been Pwned” database, an online resource that helps determine whether or not an email has been part of any data breaches, to determine whether the student accounts had any security issues.
While they cannot pinpoint exactly which accounts received spam, the Information Security team spoke with other institutions and concluded that the Chegg breach was the main source of the spam, Jacobsen wrote.
On Sept. 19, 2018, Chegg announced a security breach that had occurred on April 29, 2018. It notified its users that an unauthorized party accessed a company database that holds not only data belonging to Chegg users but also users of affiliated companies, such as EasyBib. As a result, 40 million users had to go through a password-reset process.
In an 8-K disclosure report to the U.S. Security and Exchange Commission, Chegg stated that the users’ names, email addresses, shipping addresses, usernames and passwords were accessed by the unauthorized third party. While the investigation into this ordeal is still ongoing, at this time there is no evidence of any user’s social security numbers or financial information was accessed.
Chegg is not officially associated with BU, but it is a service many students turn to for resources such as online textbooks and answers to homework. While the hack occurred last year, the effect on BU students was only recently discovered thanks to the September spam emails.
Sandya Ganesan, a senior in the Sargent College of Health and Rehabilitation Sciences, was one of the students who had to re-secure her account. She said this process entailed seeing IT services to change her password, which Ganesan did after noticing that her Blackboard, Student Link and BU wifi were not functioning.
“I deleted my Chegg account early fall of 2018, and I don’t plan on going back at all,” Ganesan said.
With Ganesan and other students who had to re-secure their accounts, emails were sent out with steps students should take to make sure their email was set up normally to rule out the potential of any malfunctioning. Ganesan said she plans to keep her information safe with these tips and other steps.
Ryan Nie, a freshman in the College of Arts and Sciences, said he will keep using the online resource despite the incident.
“If Chegg still gives me homework answers and homework help, I think I’ll still use the website,” Nie said. “I believe you don’t need to have an account to view the answers. So personally, it doesn’t really affect me, but I think even for those that are affected, they will still continue to use it if they need homework help.”
Caroline Richardson, a junior in the College of Communication, said she uses Chegg and said this incident will only make her more careful with her online security.
“After I heard about this, I realized my password for Chegg was the exact same as my school passwords, so I had to change everything,” Richardson said. “I was just more careful. I mean, I just haven’t used as much this year, I really don’t need it with the classes I’m taking right now. But definitely, I’m going to be careful in the future.”
Even if students continue to use Chegg, Jacobsen urges them to be careful with the passwords they choose and to be wary of reusing passwords on multiple platforms.
“Everywhere the individual uses the same password has it protected by the company with the weakest security,” Jacobsen wrote. “The more places you use it, the more likely it is that it will be compromised, and if it becomes compromised you are giving away access to your email, your student records, and potentially health and financial information.”
Jacobsen wrote he wants students to recognize the importance of keeping their BU password exclusive to their BU account. He also said that if students used their BU email to confirm or reset passwords at other organizations, such as banks, those accounts are at risk of being compromised as well.
BU Spokesperson Colin Riley said this incident serves as a reminder to be careful with passwords.
“The important thing about this is the benefit of not using a password from BU with other institutions, because it reduces the security of the password,” Riley said.
Brennan Zhou, a senior in the College of Communication, said that he doesn’t think hacking comes as a surprise to many students.
“It’s pretty common nowadays for data breaches and hacks to happen,” Zhou said. “And that’s not surprising a company that students use is being hacked, because it’s usually credit card companies and stuff like that, so I think the student demographic hasn’t really been tapped.”
Riley said students should take actions to protect themselves from data breaches.
“Breaches are a common and an unfortunate occurrence,” Riley said. “And there are things that users should be doing as frequently as possible, like not reusing old passwords and not clicking on spam emails, to keep themselves safe.”
In honor of National Newspaper Week, we’re asking you to make a donation to The Daily Free Press. The financial support of our community is important now more than ever to help us continue writing stories like this for readers like you. Please chip in whatever you can. Read more and make a donation here. Thank you.