In April 2018, Chegg, an American education technology company, suffered a data breach when a contract worker used Chegg’s AWS root account credentials — which had been shared widely within the company — to access an S3 bucket and steal data for approximately 40 million users. The use of root account credentials and shared access keys rather than individual IAM accounts with least-privilege permissions was a fundamental security failure. Chegg didn’t discover the breach until it was disclosed in September 2018. The breach exposed user names, email addresses, hashed passwords, and scholarship application data. In 2022, the FTC took enforcement action against Chegg for this and three subsequent breaches (2018-2020), finding a pattern of poor security practices including storing sensitive data in plaintext in S3, sharing AWS root credentials, and failing to patch known vulnerabilities. The FTC order required Chegg to implement a comprehensive security program, data minimization, and multi-factor authentication.