McGraw Hill Breach Exposes 13.5 Million Emails via Misconfigured Salesforce Page

**TL;DR** A misconfigured Salesforce page exposed 13.5 million email addresses and some personal details. McGraw Hill confirms its internal systems were not compromised.

## Context The incident occurred when a publicly accessible Salesforce page was left with overly permissive sharing settings. Attackers harvested the data and posted it online, where it was indexed by Have I Been Pwned. McGraw Hill disclosed the breach after security researchers noticed the leak.

## Key Facts - 13.5 million unique email addresses were exposed in a 100GB dump. - Depending on the record, full names, physical addresses, and phone numbers also appeared. - No Social Security numbers, financial data, or academic records were included. - McGraw Hill stated its core internal systems, customer databases, and proprietary courseware were not affected. - The breach is attributed to the ShinyHunters group, which has recently hit the European Commission, Match Group, and Rockstar Games.

## What It Means The attack vector aligns with MITRE ATT&CK T1190 (Exploit Public‑Facing Application) due to the misconfigured Salesforce page. While no passwords were leaked, the email‑name‑phone combos enable spear‑phishing, credential stuffing, and identity fraud.\n **Mitigations / What Defenders Should Do** - Review Salesforce sharing settings and disable guest user access to unnecessary objects. - Enforce the principle of least privilege on all cloud‑app integrations. - Monitor for anomalous data export activities using Cloud Access Security Broker (CASB) logs. - Apply Salesforce Security Guide recommendations, including enabling Login IP Restrictions and Session Settings. - Deploy detection rules for MITRE ATT&CK T1078 (Valid Accounts) and T1530 (Data from Cloud Storage).

Watch for follow‑up extortion attempts and increased phishing campaigns targeting the exposed addresses.