April 2026 Breaches: 10‑Petabyte Supercomputer Hack and 45 Million McGraw Hill Records Stolen

### Context April 2026 delivered two of the largest data exposures of the year. The supercomputer incident involved a nation‑state actor targeting a high‑performance computing platform that stores defense‑grade research. In the United States, the education publisher McGraw Hill suffered a cloud‑configuration error that exposed millions of learner records.

### Key Facts - Supercomputer breach: Security analysts report that a Chinese state‑run supercomputer was accessed and 10 petabytes—roughly the data of 2 million high‑definition movies—were copied. The stolen material is believed to include classified defense documents, missile schematics, and other sensitive research. The attack appears to have leveraged a compromised administrative credential, a classic MITRE ATT&CK technique *T1078 – Valid Accounts*. - McGraw Hill leak: The hacker group ShinyHunters announced the theft of 45 million records from a Salesforce database. The breach stemmed from a misconfigured object permission that left the entire dataset publicly readable. The exposed fields contain names, email addresses, school affiliations, and purchase histories. The group used automated scraping tools, matching ATT&CK technique *T1020 – Automated Collection*. - Supply‑chain spill at Mercor: In a related supply‑chain incident, AI startup Mercor lost four terabytes of data after a compromised LiteLLM component—an open‑source library that routes language‑model calls—allowed an attacker to exfiltrate model training data. The incident underscores the risk of third‑party code in AI pipelines. - Financial impact: Preliminary estimates place the supercomputer breach at a strategic cost exceeding $4 billion in lost intellectual property and remediation. McGraw Hill faces potential class‑action lawsuits and regulatory fines that could total $200 million.

### What It Means The supercomputer hack demonstrates that even highly isolated research clusters remain vulnerable when privileged credentials are reused or poorly protected. The McGraw Hill incident shows that cloud‑native platforms like Salesforce can become attack vectors through simple configuration errors. Together, these breaches highlight a shift: attackers are exploiting both high‑value nation‑state assets and everyday SaaS misconfigurations to achieve massive data theft.

### Mitigations - Credential hygiene: Enforce multi‑factor authentication and rotate privileged passwords every 30 days. Deploy privileged‑access management solutions to monitor *Valid Accounts* abuse. - Configuration audits: Run automated scans (e.g., Salesforce Shield or third‑party CSPM tools) to detect overly permissive object settings. Apply the principle of least privilege to all cloud resources. - Supply‑chain hardening: Pin dependencies to known‑good versions, verify signatures of libraries like LiteLLM, and monitor for anomalous outbound traffic from AI workloads. - Detection signatures: Deploy IDS/IPS rules for known *Automated Collection* patterns and enable logging of bulk data export events in cloud platforms. - Incident response: Update playbooks to include rapid containment of credential‑based breaches and cloud‑misconfiguration fallout. Conduct tabletop exercises that simulate petabyte‑scale exfiltration.

What to watch next: Analysts expect more nation‑state actors to target high‑performance computing clusters, while SaaS providers will likely tighten default permissions after the McGraw Hill fallout. Monitoring upcoming CVE disclosures for credential‑management software will be critical.