McGraw-Hill Confirms Data Exposure, Hackers Claim 45M Salesforce Records Leaked
McGraw-Hill has confirmed unauthorized access to a limited set of internal data following a reported Salesforce misconfiguration.
The disclosure comes after an extortion threat, allegedly by ShinyHunters, that raised questions about the incident’s scale and sensitivity.
“ShinyHunters has no shortage of options for potential follow-up campaigns. They can target instructors with convincingly branded messages, pivot into downstream tools, and even impersonate trusted contacts to push payment redirection or harvest credentials,” Ross Filipek, CISO at Corsica Technologies, said in an email to eSecurityPlanet.
He added, “For students and families, the fallout can range from identity fraud attempts to harassment and doxxing, plus the quieter, longer-term damage of having educational affiliation and contact details circulating in criminal markets.”
What we know about the McGraw-Hill incident
McGraw-Hill serves K-12, higher education, and digital learning environments, supporting a broad, distributed base of students, educators, and institutional partners.
According to BleepingComputer, the incident surfaced after the ShinyHunters extortion group claimed it had obtained up to 45 million Salesforce records tied to McGraw-Hill, alleging the data includes personally identifiable information (PII) and threatening to release it.
However, the company disputes those claims, stating that its investigation has found only limited, non-sensitive data exposure.
Salesforce misconfiguration identified as root cause
According to McGraw-Hill, the incident did not involve unauthorized access to its Salesforce accounts, customer databases, courseware, or internal systems.
Reporting from BleepingComputer indicates the exposure was confined to a webpage hosted within Salesforce’s environment. This distinction is important, as it suggests the issue may have originated at the application or configuration layer within a third-party platform rather than from a compromise of McGraw-Hill’s core infrastructure or identity systems.
Preliminary findings from the company also point to a misconfiguration within Salesforce’s environment as the root cause.
The gap between the company’s findings and the threat actor’s claims reflects a familiar pattern in extortion-driven incidents, where attackers may inflate the scope or sensitivity of data to increase leverage.
Reducing risk in SaaS environments
As organizations expand their use of SaaS platforms and third-party integrations, misconfigurations remain a source of data exposure.
Addressing this risk requires consistent visibility, stronger access controls, and a more proactive approach to securing cloud applications and their underlying data.
- Regularly audit and continuously monitor SaaS configurations to detect misconfigurations, access control gaps, and publicly exposed assets.
- Enforce strong identity and access management by applying least privilege, MFA, SSO, and periodic reviews of user roles and third-party integrations.
- Limit exposure of hosted components and sensitive data by securing APIs, restricting public access, and implementing data classification and DLP controls.
- Centralize logging and monitoring to enable real-time detection, extended log retention, and effective forensic investigation across SaaS environments.
- Strengthen third-party risk management through formal governance, security reviews, defined SLAs, and clear shared responsibility boundaries.
- Adopt zero-trust principles by continuously validating user and device access, segmenting environments, and applying conditional access policies.
- Test incident response plans and use attack simulation tools to simulate cloud misconfiguration and data loss.
Incidents like this reinforce a broader shift in the threat landscape, where attackers exploit weaknesses in SaaS configurations and third-party ecosystems rather than targeting core infrastructure directly.
Even when the actual exposure is limited, the combination of public claims, extortion pressure, and downstream risk can create operational and reputational challenges for organizations.
Editor’s note: This article originally appeared on our sister publication, eSecurityPlanet.
About Author
