Full Report
Publisher claims misconfigured Salesforce-hosted page leaked data Textbook giant McGraw Hill has landed on a ransomware crew's leak site after an alleged Salesforce-linked misconfiguration spilled 13.5 million records into the wild.…
Analysis Summary
# Incident Report: McGraw Hill Salesforce Configuration Data Leak
## Executive Summary
Textbook giant McGraw Hill suffered a significant data exposure involving approximately 13.5 million records containing Personally Identifiable Information (PII). The incident reportedly stems from a misconfigured Salesforce-hosted webpage that allowed the ShinyHunters extortion group to exfiltrate over 100 GB of data. While the company characterizes the event as a limited exposure due to a platform-wide misconfiguration, the data is currently being used for ransom extortion on the dark web.
## Incident Details
- **Discovery Date:** April 13-14, 2026 (approximate based on ransom deadline)
- **Incident Date:** Ongoing / April 2026
- **Affected Organization:** McGraw Hill
- **Sector:** Education / Publishing
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-April 14, 2026
- **Vector:** Misconfigured Salesforce-hosted environment
- **Details:** Attackers exploited a "limited" Salesforce-hosted webpage that was improperly secured, allowing public or unauthorized access to underlying datasets.
### Lateral Movement
- **Details:** According to McGraw Hill, there was no lateral movement into internal systems, customer databases, or courseware. The access was confined to the exposed Salesforce environment.
### Data Exfiltration/Impact
- **Details:** Approximately 100 GB of data consisting of 13,584,541 unique records was stolen. The ShinyHunters group claims the total record count in their possession exceeds 40 million.
### Detection & Response
- **How it was discovered:** Discovery occurred when the ShinyHunters crew listed McGraw Hill on their dark web leak site following a missed ransom deadline on April 14.
- **Response actions taken:** McGraw Hill investigated the source to a Salesforce-hosted page and issued statements to media outlets, though they have not yet posted a public notice on their primary channels.
## Attack Methodology
- **Initial Access:** Misconfiguration of a Salesforce-hosted webpage (cloud storage/app misconfiguration).
- **Persistence:** Not applicable; incident was an exfiltration of exposed data rather than persistent network access.
- **Privilege Escalation:** Likely bypassed via misconfiguration (Insecure Direct Object Reference or over-permissioned guest access).
- **Defense Evasion:** Not specified; the use of legitimate Salesforce-hosted pages often allows attackers to blend in with normal web traffic.
- **Credential Access:** Stolen credentials or abused OAuth apps are suspected in similar Salesforce breaches, though McGraw Hill cites misconfiguration.
- **Discovery:** Web scraping/enumeration of public-facing Salesforce instances.
- **Lateral Movement:** None reported.
- **Collection:** Automated harvesting of PII from the misconfigured page.
- **Exfiltration:** Over 100 GB of PII transferred to attacker-controlled infrastructure.
- **Impact:** Data breach and extortion.
## Impact Assessment
- **Financial:** Undisclosed; potential regulatory fines and costs associated with credit monitoring for millions of users.
- **Data Breach:** Exposure of 13.5M+ records including names, phone numbers, email addresses, and physical addresses.
- **Operational:** Minimal disruption reported to core services, as internal systems remained isolated.
- **Reputational:** Significant public impact due to the scale of student and educator data exposure.
## Indicators of Compromise
- **Network indicators:** Traffic to/from `shinyhunters[.]onion` (Dark web leak site).
- **File indicators:** `McGrawHill_Salesforce_PII_dump.csv` (potential naming convention on leak sites).
- **Behavioral indicators:** Unusual high-volume outbound traffic from specific Salesforce-hosted public components.
## Response Actions
- **Containment measures:** Identification and decommissioning (or securing) of the specific misconfigured Salesforce-hosted page.
- **Eradication steps:** Not applicable as the data was already exfiltrated; focus shifted to data validation and impact analysis.
- **Recovery actions:** Monitoring of leak sites; coordination with Salesforce to address the reported "broader issue" of misconfiguration.
## Lessons Learned
- **Cloud Complexity:** Even "limited" or "guest" pages in SaaS environments like Salesforce can serve as gateways to massive datasets if object permissions are not strictly audited.
- **Third-Party Shared Responsibility:** Organizations often fail to realize that while the SaaS provider (Salesforce) manages the infrastructure, the customer is responsible for data access configurations.
- **Extortion Readiness:** Attackers are increasingly skipping encryption (ransomware) in favor of pure data theft and extortion (exfiltration-only).
## Recommendations
- **Permissions Audit:** Regularly perform "Guest User Access" reviews in Salesforce to ensure no sensitive objects are exposed to the public internet.
- **SaaS Security Posture Management (SSPM):** Implement tools to automatically detect and remediate misconfigurations across SaaS platforms.
- **OAuth and Integration Review:** Audit all third-party applications and OAuth tokens connected to the Salesforce environment to ensure the principle of least privilege.
- **Data Minimization:** Ensure that public-facing web components do not have access to backend tables containing extensive PII unless strictly necessary for functionality.