McGraw Hill breach exposes 13.5M accounts via Salesforce misconfig, fueling phishing risks and raising urgent cloud security concerns.

Continue reading
An education giant, a cloud misconfiguration, and a leak that keeps growing. McGraw Hill has confirmed unauthorized access to a limited set of data hosted on a Salesforce webpage, while breach trackers and security outlets say the incident has now expanded into a public dump tied to 13.5 million accounts.
The company says its Salesforce accounts, customer databases, courseware, and internal systems were not accessed, but Have I Been Pwned says the public material includes more than 100GB of files, with 13.5 million unique email addresses and additional records containing names, phone numbers, and physical addresses.
According to reports, the ShinyHunters extortion group claimed responsibility after breaching McGraw Hill’s Salesforce environment earlier this month and later leaked the stolen data. McGraw Hill said the activity appears to stem from a broader Salesforce environment misconfiguration affecting multiple organizations, and the company said it secured the affected webpages once the issue was discovered.
The headline figure is not just the size of the leak, but the shape of the data. HIBP lists email addresses, names, phone numbers, and physical addresses as the compromised data classes, which makes the breach especially useful for phishing, impersonation, and identity-enrichment attacks even if highly sensitive fields such as Social Security numbers or financial details were not exposed. That is the real operational risk here: the data is not merely “leaked,” it is usable.
This incident reads less like a classic perimeter break and more like a cloud trust failure. The Record reports that Salesforce said there is no indication the platform itself was compromised, which pushes the spotlight toward customer-side configuration, access scope, and connected application hygiene. In plain terms, the weak point appears to be the space between “authorized access” and “too much access,” and that is where attackers keep finding leverage. That is an inference from the reporting, but it fits the broader pattern of recent Salesforce-targeted activity described by multiple outlets.
McGraw Hill is not just another enterprise. It sits inside a sector that handles students, parents, educators, institutions, and professional learners at scale. Even when a breach is framed as “limited,” the downstream value can be high because contact data can be repurposed across academic phishing, vendor impersonation, fake billing notices, account recovery scams, and credential-harvesting campaigns. The leak becomes a launchpad, not just an archive. That conclusion follows from the exposed data categories and the way ShinyHunters has used similar troves in recent campaigns.
For affected users, the immediate move is to change reused passwords, enable two-factor authentication wherever available, and watch for targeted messages that reference real personal details. HIBP explicitly recommends password changes and 2FA after the breach, and the presence of names, emails, phone numbers, and physical addresses means convincing social engineering should be expected, not dismissed. For organizations, the lesson is sharper still: audit Salesforce-connected pages, review guest and integration permissions, and treat every externally reachable data surface as a potential exfiltration path.
McGraw Hill’s breach is best understood as a cloud misconfiguration incident with mass downstream exposure. The company says core internal systems were not touched, but the public dump and the 13.5 million-account scale mean the practical damage is already real. In cybersecurity terms, the breach is not defined by what was not taken. It is defined by what is now circulating.

U.S. Army recruiting pages hijacked to display fake 404 errors reading ‘Kurdistan’, exploiting a third-party tool and exposing .mil web security gaps.