McGraw-Hill Confirms Data Breach Following Extortion Threat

What happened

McGraw-Hill confirmed a data breach after unauthorized access to a limited set of data from a webpage hosted on the Salesforce platform. The company said the incident appears to be part of a broader Salesforce environment misconfiguration affecting multiple organizations. McGraw-Hill said the breach did not involve unauthorized access to its Salesforce accounts, customer databases, courseware, or internal systems. It also said its investigation, conducted with external cybersecurity experts, found that the exposed information did not include Social Security numbers, financial account information, or student data from its educational platforms. The disclosure came after the ShinyHunters extortion group listed McGraw-Hill on its leak site and threatened to release stolen data by April 14 unless a ransom was paid. McGraw-Hill said the affected webpages were secured immediately after the unauthorized activity was detected. 

Who is affected

The direct exposure affects McGraw-Hill and the limited data accessible through the affected Salesforce-hosted webpage. McGraw-Hill said the breach did not affect its customer databases, educational platform student data, courseware, Salesforce accounts, or internal systems. 

Why CISOs should care

This incident matters because it shows how a misconfiguration in a third-party cloud platform can still create exposure even when core internal systems and primary customer databases are not breached. It also highlights the pressure organizations face when a limited breach is paired with a public extortion threat and conflicting attacker claims about the sensitivity and scale of the data. 

3 practical actions

1. Review third-party hosted webpages: Identify what data is exposed through externally hosted pages and whether those pages sit outside the same controls used for core databases and internal systems. 
2. Validate breach scope against attacker claims: Establish quickly whether leaked or claimed datasets match what internal investigation shows, especially when extortion groups publicly assert much larger or more sensitive exposure. 
3. Treat cloud misconfiguration as a business risk: Make sure security reviews account for platform-level misconfigurations that may affect multiple customers at once, even when no direct account compromise is involved. 

For more news about intrusions and breach claims involving corporate systems and stolen internal assets, click Cyberattack to read more.