McGraw Hill data breach exposes 13.5 million users following Salesforce misconfiguration

Education publishing giant McGraw Hill has confirmed a significant data breach after an extortion attempt by the cybercriminal group ShinyHunters led to the public leak of 13.5 million user records. The breach, which came to light this week, was traced back to a misconfiguration in the company’s Salesforce environment. This security lapse allowed unauthorized access to a webpage hosted on the platform, enabling attackers to exfiltrate over 100GB of data.

After McGraw Hill reportedly declined to meet a ransom deadline on April 14, the hackers released the dataset on a dark web leak site.

Scope of the exposed data

According to security analysts at Have I Been Pwned, the leaked files contain a massive repository of personally identifiable information (PII).

Primary data: 13.5 million unique email addresses.

Secondary data: Full names, physical addresses, and phone numbers were found inconsistently across various records.

McGraw Hill emphasized that the breach did not impact its core internal systems, customer databases, proprietary courseware, or sensitive financial information such as Social Security numbers.

A growing trend in SaaS vulnerabilities

The incident appears to be part of a broader campaign by ShinyHunters targeting organizations through third-party SaaS misconfigurations. Similar breaches have recently affected Rockstar Games, Match Group, and the European Commission.

Salesforce has responded by clarifying that the issue does not stem from a vulnerability in their technology, but rather from how individual companies configure their specific instances.

Risks for students and educators

While no passwords or academic records were leaked, cybersecurity experts warn that the exposure of 13.5 million fresh contact details provides a goldmine for targeted phishing campaigns. Users associated with McGraw Hill platforms are advised to be hyper-vigilant regarding unsolicited emails or texts that may impersonate educational institutions or service providers to harvest credentials.

The company has since secured the affected webpages and is working with Salesforce to strengthen its cloud protections. With these types of "misconfiguration" breaches becoming more common than traditional hacks, do you think companies should be held more legally accountable for how they set up their third-party cloud services?