Incident Overview

Education publishing giant McGraw Hill has confirmed a massive data breach affecting approximately 13.5 million user accounts, following an extortion attempt by the ShinyHunters threat group.

The attackers reportedly exploited a misconfiguration in McGraw Hill’s Salesforce environment, gaining unauthorized access to sensitive user data stored on a publicly accessible webpage.

What Happened?

According to official statements, the breach did not involve direct compromise of McGraw Hill’s internal systems, but instead stemmed from a third-party SaaS misconfiguration.

• Unauthorized access was gained via a Salesforce-hosted webpage

• The issue appears linked to a broader Salesforce misconfiguration affecting multiple organizations

• Threat actors exfiltrated large datasets and attempted extortion

When McGraw Hill did not comply with ransom demands, the attackers released the stolen data publicly, escalating the impact significantly.

What Data Was Exposed?

The leaked dataset—over 100GB in size—contains a wide range of personally identifiable information (PII), including:

• Email addresses (13.5 million unique entries)

• Full names

• Phone numbers

• Physical addresses

Not every record contained all fields, but the dataset is still highly valuable for targeted phishing and social engineering campaigns.

Conflicting Claims: 13.5M vs 45M Records

There is a notable discrepancy in breach scale:

• Have I Been Pwned confirms exposure of 13.5 million accounts

• ShinyHunters claims up to 45 million Salesforce records were stolen

This gap suggests either:

• Partial dataset release

• Overstatement by threat actors (common in extortion campaigns)

• Multiple datasets with varying levels of exposure

Threat Actor: ShinyHunters

The attack has been attributed to ShinyHunters, a well-known cybercriminal group that has shifted from ransomware to data extortion and mass leaks.

Their recent campaigns focus heavily on:

• Exploiting SaaS misconfigurations (especially Salesforce)

• Exfiltrating large datasets

• Publishing data if ransom demands are unmet

McGraw Hill’s Response

McGraw Hill has emphasized that:

• No financial data, Social Security numbers, or educational records were compromised

• Core systems, including customer databases and courseware, remain secure

• The vulnerability has been identified and remediated

However, the scale of leaked data raises concerns about underestimation of impact and third-party risk visibility.

Why This Matters

This breach highlights a growing cybersecurity trend:

1. SaaS Misconfigurations Are the New Attack Surface

Organizations increasingly rely on platforms like Salesforce—but misconfigured instances create silent exposure points.

2. Data Exfiltration > Ransomware

Modern threat actors prefer:

• Stealing data

• Threatening public leaks
  Rather than encrypting systems

3. Phishing Risk Skyrockets

With access to:

• Names

• Emails

• Phone numbers

Attackers can launch highly personalized phishing campaigns, increasing success rates dramatically.

How Organizations Can Defend

To mitigate similar risks:

• Audit SaaS configurations regularly (especially public-facing endpoints)

• Implement least privilege access controls

• Monitor for unauthorized data exposure in cloud environments

• Use data loss prevention (DLP) tools

• Train employees against spear-phishing attacks fueled by breached data

ClearPhish Takeaway

This incident reinforces a critical reality:

Your security is only as strong as your weakest SaaS configuration.

Even without direct system compromise, misconfigured cloud environments can lead to massive data exposure.

At ClearPhish, we’ve seen how breaches like this become fuel for next-gen phishing attacks—where attackers leverage real user data to craft hyper-personalized lures.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.