McGraw-Hill Data Breach Exposes 13.5 Million Users via Salesforce

Executive Summary

A misconfigured Salesforce environment at education publishing giant McGraw-Hill has led to a data breach exposing the personal information of approximately 13.5 million users. The company confirmed the incident in April 2026 after threat actors attempted extortion and subsequently publicly distributed over 100GB of stolen data. The breach highlights the persistent risk of cloud service misconfigurations in enterprise environments.

Technical Analysis

The breach originated from a security misconfiguration within McGraw-Hill's Salesforce implementation, a widely used customer relationship management (CRM) platform. While the exact technical nature of the misconfiguration was not detailed in the public disclosure, such incidents typically involve improperly secured data storage, exposed APIs, or lax access controls that allow unauthorized data extraction. According to the company's statement, the exposed data included personal information. The threat actors exfiltrated this data and later made it publicly available online after an extortion attempt against McGraw-Hill failed or was not met. The public distribution of the 100GB+ dataset significantly amplifies the risk of downstream fraud and credential-stuffing attacks against the affected user base.

Tactics, Techniques & Procedures

The threat actors' TTPs follow a common pattern for cloud-centric data theft and extortion. The initial access vector was likely the exploitation of a misconfiguration (T1589.001 - Gather Victim Identity Information: Credentials), not a software vulnerability. This allowed data collection and exfiltration (TA0010 - Exfiltration). The subsequent extortion attempt (T1657 - Financial Theft) and public data dump (T1588.002 - Obtain Capabilities: Tool) are hallmarks of double-extortion tactics, though the initial ransom demand details are unclear.

Threat Actor Context

The specific threat actor or group behind this breach has not been publicly attributed. The tactics—exploiting a cloud misconfiguration, attempting extortion, and publicly leaking data when demands are not met—are consistent with a wide range of cybercriminal actors, from ransomware affiliates to dedicated data extortion groups. The focus on a large, data-rich target in the education sector suggests a financially motivated operation.

Mitigations & Recommendations

Organizations using cloud platforms like Salesforce must implement rigorous configuration management and continuous security posture monitoring. McGraw-Hill has stated it is reviewing its security controls and working with external experts. For affected individuals, the company is offering credit monitoring and identity protection services. Broader recommendations include:

• Implement Cloud Security Posture Management (CSPM): Continuously audit cloud environments for misconfigurations against security benchmarks.
• Enforce Least-Privilege Access: Strictly limit data access within CRM and cloud storage systems to only those identities that require it for business functions.
• Monitor for Data Exposure: Deploy data loss prevention (DLP) tools and monitor underground forums for signs of corporate data being offered for sale or published.
• User Awareness: Affected users should enable multi-factor authentication on all accounts, be vigilant for phishing emails referencing the breach, and consider placing a fraud alert on their credit files.