Full Report
Education company McGraw-Hill has confirmed in a statement to BleepingComputer that hackers exploited a Salesforce misconfiguration and accessed its internal data. [...]
Analysis Summary
# Incident Report: McGraw-Hill Salesforce Misconfiguration Leak
## Executive Summary
McGraw-Hill, a major global education publisher, suffered a data breach resulting from a misconfiguration within a Salesforce-hosted environment. The incident was brought to light following an extortion threat by the threat actor group "ShinyHunters," who claimed to have stolen 45 million records. McGraw-Hill has countered the group's claims, stating the exposed data was limited and non-sensitive, and did not include Social Security numbers or financial information.
## Incident Details
- **Discovery Date:** Approximately April 2024 (following extortion threat)
- **Incident Date:** Not specified; prior to April 14, 2026
- **Affected Organization:** McGraw-Hill
- **Sector:** Education / Publishing
- **Geography:** Global (Headquartered in USA)
## Timeline of Events
### Initial Access
- **Date/Time:** Preceding April 14, 2026
- **Vector:** SaaS Misconfiguration
- **Details:** Attackers exploited a specific misconfiguration in a Salesforce-hosted webpage, a known issue affecting multiple organizations using the platform.
### Lateral Movement
- **Details:** Based on current company statements, there is no evidence of lateral movement. The breach was restricted to the Salesforce-hosted webpage environment and did not penetrate internal systems, customer databases, or McGraw-Hill's primary Salesforce accounts.
### Data Exfiltration/Impact
- **Details:** The threat actor "ShinyHunters" claimed to have exfiltrated 45 million records containing Personally Identifiable Information (PII). McGraw-Hill disputes the volume and sensitivity, claiming only a limited set of non-sensitive data was accessible.
### Detection & Response
- **How it was discovered:** Primarily via an extortion threat posted on the ShinyHunters dark-web portal.
- **Response actions taken:** McGraw-Hill secured the affected webpages immediately, engaged external cybersecurity experts for a forensic investigation, and coordinated with Salesforce to remediate the misconfiguration.
## Attack Methodology
- **Initial Access:** Exploitation of Salesforce misconfiguration (Unauthorized access to public-facing hosted pages).
- **Persistence:** Not reported; access likely relied on the duration of the misconfiguration.
- **Privilege Escalation:** Not applicable; access was via public-facing misconfigured assets.
- **Defense Evasion:** Not specified.
- **Credential Access:** None; the exploit targeted misconfigured permissions rather than bypassing authentication.
- **Discovery:** Web-based reconnaissance targeting common Salesforce misconfigurations.
- **Lateral Movement:** None confirmed.
- **Collection:** Automated scraping or querying of the misconfigured Salesforce environment.
- **Exfiltration:** Transfer of data to attacker-controlled infrastructure.
- **Impact:** Data extortion and reputational risk.
## Impact Assessment
- **Financial:** Risk of ransom demands; costs associated with third-party forensic investigations.
- **Data Breach:** Conflict between claims; ShinyHunters claims 45M records (PII), McGraw-Hill claims limited non-sensitive data.
- **Operational:** Minimal; internal systems and courseware platforms remained functional.
- **Reputational:** High-profile public extortion threat by a notorious threat group.
## Indicators of Compromise
- **Network indicators:** None provided.
- **File indicators:** None provided.
- **Behavioral indicators:** Unauthorized queries or heavy traffic directed at specific Salesforce-hosted URLs.
## Response Actions
- **Containment:** Secured the affected web pages immediately upon notification/detection.
- **Eradication:** Applied configuration changes to the Salesforce environment to close the exposure gap.
- **Recovery:** Engaged third-party experts to validate that no sensitive data (SSNs/Financials) was lost.
## Lessons Learned
- **SaaS Oversight:** Vulnerabilities in third-party SaaS platforms (Salesforce) can lead to data exposure even if internal systems are secure.
- **Asset Inventory:** Maintaining a clear inventory of all public-facing Salesforce pages is critical for preventing "shadow" data leaks.
- **Verification of Actor Claims:** Threat actors often exaggerate breach volumes (45M records vs. "limited set") to increase extortion pressure.
## Recommendations
- **Configuration Audits:** Regularly perform automated audits of Salesforce permissions (Guest User profiles, Sharing Rules) to ensure no internal data is exposed to the public.
- **SaaS Security Posture Management (SSPM):** Implement SSPM tools to automatically detect misconfigurations across cloud platforms.
- **Third-Party Monitoring:** Actively monitor dark-web forums and threat actor portals for mentions of company assets to reduce the time between breach and discovery.