McGraw Hill announced a breach of its data, stating the incident was connected to a Salesforce database misconfiguration. This data breach has been claimed by the cybercriminal group known as ShinyHunters, who claimed to have taken 45 million records and threatened to release them if the organization doesn't meet their demands. 

Pete Luban, Field CISO at AttackIQ, remarks, “This most recent attack lines up with the recent uptick in activity seen from ShinyHunters, where ‘breaking in’ is often less about exotic malware and more about abusing the messy state of modern environments. ShinyHunters have taken advantage of this reality to conduct similar successful campaigns against Rockstar Games and the European Commission in just the last couple of weeks, exploiting cloud environments to gain access and exfiltrate data. The business model is the same, and so are the results: move fast, grab data, and monetize through extortion pressure.

“ShinyHunters keeps winning where identity, configuration, and third-party controls are treated like set-and-forget tasks. Organizations need to protect their environments with the understanding that modern attackers can use vulnerabilities in any part of a cybersecurity ecosystem to launch attacks and cause chaos. ShinyHunters’ playbooks should be treated as testable, not theoretical. Validating defenses against realistic abuse paths can help security teams identify where gaps in security lie, and patch them in order to prevent outsider access and data exfiltration, rather than just alerting after the fact.”

Upon discovery of the incident, McGraw Hill secured the impacted webpages and launched an investigation.

“This activity appears to be part of a broader issue involving a misconfiguration within Salesforce’s environment that has impacted multiple organizations that work with Salesforce,” a spokesperson for McGraw Hill stated. “Importantly, this did not involve unauthorized access to McGraw Hill’s Salesforce accounts, customer databases, courseware, or internal systems.”

A Salesforce spokesperson said there is no evidence the platform was compromised or that the incident was caused by a known vulnerability of the platform. 

Upon reviewing the impacted data, the organization determined it was limited to non-sensitive information. At this time, it is unknown how many were impacted by this breach. 

Ross Filipek, CISO at Corsica Technologies, remarks, “McGraw-Hill says attackers abused a Salesforce misconfiguration to access a limited, “non-sensitive” dataset, while ShinyHunters is publicly claiming far more, including tens of millions of Salesforce records with personally identifiable information. In an education context, even “boring” CRM-style data can be rocket fuel: staff and faculty directories, emails, roles, support case notes, school or district identifiers, and contact records can be stitched into high-confidence phishing and account-takeover campaigns.

“ShinyHunters has no shortage of options for potential follow-up campaigns. They can target instructors with convincingly branded messages, pivot into downstream tools, and even impersonate trusted contacts to push payment redirection or harvest credentials. For students and families, the fallout can range from identity fraud attempts to harassment and doxxing, plus the quieter, longer-term damage of having educational affiliation and contact details circulating in criminal markets.

“This situation feels eerily familiar. Last year’s PowerSchool breach demonstrated how attackers can monetize education data at scale through extortion. Both attacks exploited weak points in SaaS configurations and pressured the victims through a leak website with the goal of being paid a hefty ransom. Educational institutions and learning platforms should tighten their third-party and contractor access with least privilege access controls and strong multi-factor authentication. Further, they should back that up with centralized, continuously managed monitoring and response plus automated configuration and vulnerability governance to eliminate risky access paths and ensure misconfigurations are identified, prioritized, and remediated quickly, before attackers can turn them into leverage.”

McGraw Hill has stated it is working alongside Salesforce to strengthen security and address the issue.