I was recently sent a notification by https://haveibeenpwned.com/ that one of my email addresses has been found in a breach, in particular in a breach of https://www.chegg.com. I am positive I never signed up for an account there, it's a US education company and I am not from there, nor did I ever have anything to do with US education.
I have verified the email is actually from haveibeenpwned.
I figured it's possible they merged with another company and took over their user base, but I can find no evidence of that.
If I try to sign in to chegg.com I do get a notification that I should reset my password for logging in. I did this and got a reset password email, what makes it even more dodgy is that I am adressed as Hi , to reset your password...
so obviously they left out the name I should be addressed by after Hi
.
I actually logged in with the new random password and it seems my account did have a free ebook purchase there, but it's definitely not a book that I ever was interested in. I suppose the likely scenario is that chegg never did email validation and someone just used my email address? Are there any other options? I also don't remember getting any signup emails which is common for services even if they don't verify email addresses.