Full Report
In April 2026, education company McGraw Hill confirmed a data breach following an extortion attempt. Attributed to a Salesforce misconfiguration, the company stated the incident exposed "a limited set of data from a webpage hosted by Salesforce on its platform". More than 100GB of data was later publicly distributed, containing 13.5M unique email addresses across multiple files, with additional fields such as name, physical address and phone number appearing inconsistently across some records.
Analysis Summary
# Incident Report: McGraw Hill Salesforce Misconfiguration & Data Leak
## Executive Summary
In April 2026, educational publisher McGraw Hill suffered a significant data breach resulting from a Salesforce misconfiguration. The incident led to the exposure and subsequent public distribution of over 100GB of data, impacting approximately 13.5 million unique users. The breach was brought to light following an extortion attempt by threat actors.
## Incident Details
- **Discovery Date:** April 2026
- **Incident Date:** April 2026
- **Affected Organization:** McGraw Hill
- **Sector:** Education / Publishing
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** April 2026 (exact start date unspecified)
- **Vector:** Cloud Misconfiguration
- **Details:** A Salesforce-hosted webpage was improperly configured, allowing unauthorized access to a "limited set of data" that was intended to be private or restricted.
### Lateral Movement
- **Details:** No lateral movement within McGraw Hill's internal corporate network was reported; the attack focused on data accessible via the misconfigured Salesforce platform interface.
### Data Exfiltration/Impact
- **Details:** Threat actors exfiltrated over 100GB of data. After an unsuccessful extortion attempt, the attackers publicly distributed multiple files containing 13.5 million unique records.
### Detection & Response
- **Detection:** The incident was identified following an extortion threat made by the attackers to the company.
- **Response:** McGraw Hill confirmed the breach, investigated the source (Salesforce platform), and acknowledged the exposure of the data.
## Attack Methodology
- **Initial Access:** Exploitation of a Salesforce misconfiguration (Permissive access controls on a hosted webpage).
- **Persistence:** Not applicable; data was harvested via the open configuration.
- **Privilege Escalation:** Not reported; access was gained through publicly accessible but improperly secured web components.
- **Defense Evasion:** Use of legitimate cloud service protocols to bypass traditional perimeter defenses.
- **Credential Access:** None reported (data was exposed without authentication).
- **Discovery:** Likely automated scanning for misconfigured cloud instances/SaaS buckets.
- **Lateral Movement:** N/A (Cloud-native data leak).
- **Collection:** Automated scraping or bulk download of exposed Salesforce records.
- **Exfiltration:** Direct download from the Salesforce-hosted platform.
- **Impact:** Financial extortion attempt and public release of PII.
## Impact Assessment
- **Financial:** Potential regulatory fines and costs associated with credit monitoring for millions of users; specific figures not disclosed.
- **Data Breach:** High volume; 100GB+ of data including 13.5 million email addresses, names, phone numbers, and physical addresses.
- **Operational:** Limited reported disruption to core educational services, as the breach occurred on a specific web-hosted platform.
- **Reputational:** High; widespread coverage in security media (BleepingComputer) and inclusion in "Have I Been Pwned" (HIBP).
## Indicators of Compromise
- **Network indicators:** N/A (Traffic would appear as legitimate Salesforce communication).
- **File indicators:** Data distributed across multiple files totaling >100GB (e.g., CSV/JSON formats containing PII).
- **Behavioral indicators:** Unusual bulk egress traffic from specific Salesforce objects or components.
## Response Actions
- **Containment:** Secured the misconfigured Salesforce webpage to prevent further unauthorized access.
- **Eradication:** Investigation into the scope of the "limited set of data" initially identified versus the 100GB eventually leaked.
- **Recovery:** Communication with affected parties and coordination with security researchers (e.g., HIBP).
## Lessons Learned
- **Visibility:** A "limited set of data" assessment by the company was significantly lower than the actual 100GB data volume identified post-leak, suggesting a need for better data inventory.
- **Cloud Security:** SaaS platforms like Salesforce require rigorous security baseline audits; default settings or manual changes can inadvertently expose massive datasets.
- **Extortion Trends:** Data theft is increasingly shifting from encryption (Ransomware) to purely exfiltration and extortion.
## Recommendations
- **SaaS Security Posture Management (SSPM):** Implement tools to automatically audit Salesforce "Guest User" permissions and public-facing site configurations.
- **Data Minimization:** Regularly purge legacy student/user data that is no longer required for business operations to reduce flash-cut risk.
- **Zero Trust Architecture:** Ensure that web-hosted components require authentication by default and utilize the principle of least privilege for data access.
- **Enhanced Logging:** Enable comprehensive logging for Salesforce data exports to detect bulk data harvesting in real-time.