McGraw Hill Salesforce Misconfiguration Exposes 13.5 Million Records

**TL;DR:** A misconfigured Salesforce Experience Cloud site exposed 13.5 million email addresses, names, and phone numbers from McGraw Hill; core systems remained untouched.

Context: Security researchers first noticed the leak in early September 2024 after a 100GB dump appeared on a hacker forum and was shared via a Telegram channel. Have I Been Pwned indexed the data, confirming 13.5 million unique email addresses. Threat intelligence linked the exposure to the ShinyHunters group, which has recently targeted several high‑profile SaaS assets. McGraw Hill issued a statement emphasizing that its main servers, internal databases, and proprietary courseware were not affected.

Key Facts: The leaked dataset sometimes includes full names, physical addresses, and phone numbers alongside the email addresses. The breach was confined to a single misconfigured webpage hosted on McGraw Hill’s Salesforce platform, not its primary infrastructure. No Social Security numbers, financial information, or academic records were present in the exposed file.

What It Means: Although the most sensitive data was absent, the combination of email, name, and address provides a rich feed for targeted spear‑phishing and credential‑stuffing attacks. Attackers can use personal details to craft convincing lures that increase the likelihood of credential reuse across other services. The incident underscores how a single SaaS misconfiguration can undermine an organization’s overall security posture, reinforcing the need for vigilance in the shared responsibility model.

Mitigations: Review and tighten Salesforce sharing settings, especially guest user and site access controls. Enable Salesforce Event Monitoring and set up alerts for anomalous data export or bulk data access. Apply the principle of least privilege to profiles and permission sets, disabling unnecessary API access. Conduct regular penetration testing of public‑facing Salesforce communities and use tools like Salesforce Security Health Check. Implement data loss prevention rules to block export of email address lists. Enforce multi‑factor authentication for all admin and integration users. Restrict login by IP range where feasible and review OAuth connected apps for excessive permissions.

Watch for follow‑on phishing campaigns that leverage the leaked personal details and monitor threat feeds for renewed ShinyHunters activity targeting other Salesforce implementations.