McGraw Hill, a major global education publisher, has confirmed a data breach affecting millions of users after attackers exploited a misconfiguration in a Salesforce-hosted environment. The incident, attributed to the ShinyHunters extortion group, involved unauthorized access to a dataset exposed through a webpage on the platform.
While the company maintains that its core systems, customer databases, and educational platforms were not compromised, external sources report that over 100GB of data tied to approximately 13.5 million accounts has been leaked.
The exposed information includes names, email addresses, phone numbers, and physical addresses.
Why It Matters: This incident is a good reminder of how small misconfigurations in third-party platforms can turn into very large data exposures. Even when the data involved seems limited at first, the scale and context can make it much more impactful, especially when millions of users are involved. As organizations continue to rely on cloud-based tools like Salesforce, the line between platform security and implementation responsibility becomes extremely important.
- Third-party environments can become exposure points: The breach did not originate from McGraw Hill’s core internal systems, but from a misconfigured environment hosted on Salesforce. This is a prime example of a broader industry reality where organizations rely on cloud and SaaS platforms, and security depends on how those environments are configured and managed.
- Scale of exposure amplifies downstream risks: Although the company described the accessed data as “limited,” the leak reportedly includes 13.5 million unique email addresses along with additional personal details in some records. Even partial datasets at this scale can significantly increase the effectiveness of phishing, credential stuffing, and other social engineering attacks.
- Conflicting claims highlight uncertainty in breach impact: ShinyHunters claims up to 45 million records were stolen, while McGraw Hill has characterized the exposure as more limited. This kind of discrepancy is common in breach scenarios and can make it difficult for affected users and organizations to quickly assess the true level of risk.
- Part of a broader campaign targeting SaaS ecosystems: The incident is not isolated. The ShinyHunters has recently targeted multiple organizations through platforms like Salesforce and Snowflake, pointing to a wider trend of attackers focusing on centralized enterprise services. They have also moved away from traditional ransomware encryption and now focus on data exfiltration and public leaks to pressure victims.
- “Limited” data exposure can still carry real consequences: Even without financial information or highly sensitive identifiers like Social Security numbers, datasets containing names, addresses, and contact details can be combined with other breaches or public data. This layering effect makes future attacks more convincing and harder for individuals to detect.
Trusted insights for technology leaders
Our readers are CIOs, CTOs, and senior IT executives who rely on The National CIO Review for smart, curated takes on the trends shaping the enterprise, from GenAI to cybersecurity and beyond.
Subscribe to our 4x a week newsletter to keep up with the insights that matter.
