Image: Nomad_Soul/Adobe
McGraw-Hill confirms a data exposure tied to a Salesforce misconfiguration as hackers claim 45M records, raising concerns over SaaS security risks.
McGraw-Hill has confirmed unauthorized access to a limited set of internal data following a reported Salesforce misconfiguration.
The disclosure comes after an extortion threat, allegedly by ShinyHunters, that raised questions about the incident’s scale and sensitivity.
“ShinyHunters has no shortage of options for potential follow-up campaigns. They can target instructors with convincingly branded messages, pivot into downstream tools, and even impersonate trusted contacts to push payment redirection or harvest credentials,” Ross Filipek, CISO at Corsica Technologies, said in an email to eSecurityPlanet.
He added, “For students and families, the fallout can range from identity fraud attempts to harassment and doxxing, plus the quieter, longer-term damage of having educational affiliation and contact details circulating in criminal markets.”
McGraw-Hill serves K-12, higher education, and digital learning environments, supporting a broad, distributed base of students, educators, and institutional partners.
According to BleepingComputer, the incident surfaced after the ShinyHunters extortion group claimed it had obtained up to 45 million Salesforce records tied to McGraw-Hill, alleging the data includes personally identifiable information (PII) and threatening to release it.
However, the company disputes those claims, stating that its investigation has found only limited, non-sensitive data exposure.
According to McGraw-Hill, the incident did not involve unauthorized access to its Salesforce accounts, customer databases, courseware, or internal systems.
Reporting from BleepingComputer indicates the exposure was confined to a webpage hosted within Salesforce’s environment. This distinction is important, as it suggests the issue may have originated at the application or configuration layer within a third-party platform rather than from a compromise of McGraw-Hill’s core infrastructure or identity systems.
Preliminary findings from the company also point to a misconfiguration within Salesforce’s environment as the root cause.
The gap between the company’s findings and the threat actor’s claims reflects a familiar pattern in extortion-driven incidents, where attackers may inflate the scope or sensitivity of data to increase leverage.
As organizations expand their use of SaaS platforms and third-party integrations, misconfigurations remain a source of data exposure.
Addressing this risk requires consistent visibility, stronger access controls, and a more proactive approach to securing cloud applications and their underlying data.
Incidents like this reinforce a broader shift in the threat landscape, where attackers exploit weaknesses in SaaS configurations and third-party ecosystems rather than targeting core infrastructure directly.
Even when the actual exposure is limited, the combination of public claims, extortion pressure, and downstream risk can create operational and reputational challenges for organizations.
Editor’s note: This article originally appeared on our sister publication, eSecurityPlanet.
Ken Underhill is an award-winning cybersecurity professional, bestselling author, and seasoned IT professional. He holds a graduate degree in cybersecurity and information assurance from Western Governors University and brings years of hands-on experience to the field.
