The tutoring and textbook company Chegg recently acknowledged a data breach that potentially affected 40 million users, in just the latest revelation of an education business’ vulnerability to hacking.

The California-based company, which made its name as hub for rentals of college textbooks, revealed the breach on Sept. 19 in an 8K financial disclosure to the Securities and Exchange Commission.

Explore the K-12 Market With EdWeek Market Brief Businesses and other organizations looking for intel on the school marketplace should check out EdWeek Market Brief , a service that provides news, analysis, and original data on the ever-changing needs and priorities of schools.

It took time for the news to reach investors, but when it did, Chegg’s stock price fell sharply, from a recent peak of more than $32 a share on Sept. 25 to $27.42 less than a week later.

In its statement, Chegg said that the breach occurred on around April 29 of this year. An unauthorized party gained access to a company database that hosts users of chegg.com and a number of other company brands, including EasyBib, a Chegg subscription service to help with writing and citations.

“The Company understands that the information that may have been obtained could include a Chegg user’s name, email address, shipping address, Chegg username, and hashed Chegg password,” the company said.

No social security numbers or financial information such as users’ credit card numbers or bank information was revealed, the company asserted.

News of Chegg’s data breach emerged two weeks after the FBI issued a warning about data-privacy risks posed schools’ use of ed-tech that collects personal information, from web search histories to biometric data.

Chegg’s main focus is in higher education, and its business includes tutoring, homework assistance and other services, some of which draw high school users.

Despite Chegg’s postsecondary focus, the security lapse offers a “case study” for pre-college providers and schools on data-security risks, said Phil Hill, a consultant, in an interview. Hill wrote about the data breach on his blog, e-literate. “If I were a K-12 company I’d be watching this very closely.”

Chegg officials said in their statement that they began notifying 40 million active and inactive registered users and “certain regulatory authorities” on Sept. 26.

Company spokesman Marc Boxser told EdWeek Market Brief this week that the company is informing all of its users who were potentially affected by the breach, and telling them to reset their passwords, “out of an abundance of caution.”

All password resets are expected to be completed by today, Boxser said.

New Regulations Set the Bar

One of the first to call attention to the Chegg breach was Hill, an education consultant and market analyst for the company MindWires Consulting who posted a blog and a tweet about the SEC disclosure.

Investors may have been spooked not only by the vulnerabilities laid bare by the data breach, but also by the possibility that some Chegg users who did not realize they were still subscribing to various company services would get a data-security notice and then want to opt out, speculated one Morgan Stanley analyst, as quoted by Bloomberg.

One of the more pressing questions is whether the breach will draw the scrutiny of data-privacy regulators, said Hill in an interview. He pointed to the new rules put in place as part of GDPR, the sweeping European data privacy regulation that took effect earlier this year.

The European policy has come into focus recently with the admission by social media giant Facebook — which has a major presence in schools — that hackers gained access to 50 million of its accounts. European authorities have said they are investigating how many users on the continent were affected, and whether it would trigger GPDR enforcement.

Facebook could face a fine of around 4 percent of its revenues, or $1.6 billion by some accounts, if it was found to have violated GDPR.

Boxser said Chegg is “principally U.S.-based, and the core focus of our business is the United States.”

“We are providing notice to the particular regulatory agencies, in the U.S. and internationally — including Europe,” he said. He declined to name the regulators.

Follow EdWeek Market Brief on Twitter @EdMarketBrief or connect with us on LinkedIn.

See also: