Textbook publisher McGraw Hill has ended up on a ransomware crew’s leak site after what appears to have been a Salesforce-linked misconfiguration exposed a large volume of personal data.
According to Have I Been Pwned, the breach involved names, phone numbers, email addresses, and in some cases physical addresses. McGraw Hill has described the source as a “limited” Salesforce-hosted webpage, although the dataset now said to be circulating publicly is reported to exceed 100 GB and includes 13.5 million email addresses.
That is the awkward thing about “limited” exposure. Once the data is out, the adjective stops helping.
Most Salesforce-related incidents are not caused by some dramatic failure in Salesforce itself. More often, the damage comes from stolen credentials, abused OAuth applications, or integrations with far too much access. That gives attackers a perfectly respectable front door through which to quietly empty the cupboards.
The incident surfaced earlier this week when the ShinyHunters crew added McGraw Hill to its leak site alongside other victims. The listing claimed to hold more than 40 million Salesforce records containing personally identifiable information and alleged that the company failed to pay before an April 14 deadline.
McGraw Hill has been notably quiet on its own public channels. There was no mention of the incident on its website, and no response to questions from The Register. In comments to other outlets, however, it said the activity “appears to be part of a broader issue involving a misconfiguration within Salesforce’s environment that has impacted multiple organizations.”
The company also stressed that the incident “did not involve unauthorized access to McGraw Hill’s Salesforce accounts, customer databases, courseware, or internal systems.” That may be technically true, and perhaps legally useful, but it is unlikely to reassure anyone whose details may now be circulating online.
Salesforce did not respond to questions from The Register.
ShinyHunters has form here. The group has previously targeted Salesforce-linked environments, including campaigns focused on weaknesses in connected services rather than direct compromise of core systems.
For McGraw Hill, a business built around digital learning platforms, assessments, and educational infrastructure, the optics are grim. The broader lesson is not particularly subtle: a supposedly narrow exposure can become a very large problem the moment it escapes into public circulation.
And once a ransomware crew is reading your records like assigned homework, the distinction between “limited” and “catastrophic” starts to look fairly academic.