Full Report
The ShinyHunters extortion group has leaked data from 13.5 million McGraw Hill user accounts, stolen after breaching the company's Salesforce environment earlier this month. [...]
Analysis Summary
# Incident Report: McGraw Hill Salesforce Data Breach
## Executive Summary
In April 2026, the ShinyHunters extortion group breached a Salesforce-hosted environment belonging to educational publisher McGraw Hill, claiming the theft of 45 million records. The company confirmed the breach was the result of a misconfiguration within the Salesforce environment rather than a compromise of internal systems. Ultimately, data linked to 13.5 million unique user accounts (exceeding 100GB) was leaked online after the company likely refused ransom demands.
## Incident Details
- **Discovery Date:** April 2026
- **Incident Date:** Early April 2026
- **Affected Organization:** McGraw Hill
- **Sector:** Education / Publishing
- **Geography:** Global (Headquartered in USA)
## Timeline of Events
### Initial Access
- **Date/Time:** April 2026
- **Vector:** Exploitation of a misconfiguration.
- **Details:** Attackers exploited a mismanaged setting on a webpage hosted by Salesforce, which allowed unauthorized access to a limited data set.
### Lateral Movement
- **Details:** Per McGraw Hill, the threat actors did not successfully move laterally into courseware, customer databases, or broader internal systems. The incident was isolated to the Salesforce-hosted platform.
### Data Exfiltration/Impact
- **Details:** ShinyHunters claimed to have stolen 45 million Salesforce records. Following a failed extortion attempt, the group leaked over 100GB of files containing 13.5 million unique email addresses.
### Detection & Response
- **Discovery:** ShinyHunters added McGraw Hill to their dark web leak site and issued an extortion threat.
- **Response actions:** McGraw Hill launched an investigation, confirmed the breach, and identified the root cause as a Salesforce environment misconfiguration. The breach was reported to "Have I Been Pwned" for user notification.
## Attack Methodology
- **Initial Access:** Misconfiguration of a Salesforce-hosted webpage.
- **Persistence:** Not disclosed (likely short-term access to a exposed data bucket/page).
- **Privilege Escalation:** Not applicable (direct access via misconfiguration).
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Not applicable (access was gained via misconfigured permissions).
- **Discovery:** Identification of exposed cloud assets/Salesforce instances.
- **Lateral Movement:** None reported; limited to the Salesforce environment.
- **Collection:** Gathering of PII from the exposed interface/database.
- **Exfiltration:** Transfer of 100GB+ of data to attacker-controlled infrastructure.
- **Impact:** Extortion attempt followed by public data leak.
## Impact Assessment
- **Financial:** Potential regulatory fines and costs associated with victim notification/monitoring; ransom was demanded but results of payment are unconfirmed (leak suggests non-payment).
- **Data Breach:** 13.5 million unique accounts; 100GB+ of data. Includes names, physical addresses, phone numbers, and email addresses.
- **Operational:** Limited; the company stated that internal systems and courseware remained operational.
- **Reputational:** High; widespread coverage of the leak affecting students and educators.
## Indicators of Compromise
- **Network indicators:** Records associated with the ShinyHunters leak site (e.g., `http[:]//[dark-web-url]`).
- **File indicators:** Data dumps titled with "McGraw Hill" containing CSV/JSON files of user PII.
- **Behavioral indicators:** Unauthorized large-scale API calls or scraping activity originating from unknown IP addresses toward Salesforce-hosted pages.
## Response Actions
- **Containment:** Secured the misconfigured Salesforce webpage to prevent further unauthorized access.
- **Eradication:** Verified that the threat actor did not have a presence in internal customer databases.
- **Recovery:** Collaborated with Have I Been Pwned to notify affected users and issued public statements confirming the scope.
## Lessons Learned
- **Cloud Security Posture Management (CSPM):** Misconfigurations in third-party SaaS platforms (Salesforce) can be as damaging as direct network intrusions.
- **Third-Party Risk:** Organizations remain responsible for data security even when utilizing major cloud providers like Salesforce.
- **Extortion Trends:** ShinyHunters continues to target high-volume PII databases via cloud misconfigurations (Snowflake, Salesforce, etc.) rather than traditional malware.
## Recommendations
- **Configuration Audits:** Conduct regular permission audits of all Salesforce Communities/Experience Cloud sites and public-facing pages.
- **Hardening:** Implement the "Principle of Least Privilege" for all cloud-hosted data sets.
- **Monitoring:** Enable logging and alerting for anomalous data egress or "export" commands within SaaS environments.
- **User Education:** Advise customers to be vigilant for spear-phishing attempts using the leaked PII.