The ShinyHunters extortion group has leaked data from 13.5 million McGraw Hill user accounts, according to Bleeping Computer. The data was stolen after breaching the company’s Salesforce environment.
Founded in 1909, McGraw Hill is a leading global educational publisher with annual revenue of $2.2 billion, which provides education content and solutions for PreK–12, higher education, and professional learning.
The company confirmed ShinyHunters’ breach claims. The statement indicates that the threat actors exploited a misconfiguration in the compromised Salesforce environment and that the incident didn’t affect its Salesforce accounts, courseware, customer databases, or internal systems.
The threat actor claims to hold 45 million Salesforce records containing personally identifiable information (PII), according to The Register.
To gain an insight into the cyber-event, Digital Journal has heard from Ross Filipek, CISO at Corsica Technologies.
Filipek begins by explaining the attack: “McGraw-Hill says attackers abused a Salesforce misconfiguration to access a limited, “non-sensitive” dataset, while ShinyHunters is publicly claiming far more, including tens of millions of Salesforce records with personally identifiable information.”
As to the important of the theft, Filipek explains: “In an education context, even “boring” CRM-style data can be rocket fuel: staff and faculty directories, emails, roles, support case notes, school or district identifiers, and contact records can be stitched into high-confidence phishing and account-takeover campaigns.”
Turning his attention to the attacker, Filipek’s profile begins: ShinyHunters has no shortage of options for potential follow-up campaigns. They can target instructors with convincingly branded messages, pivot into downstream tools, and even impersonate trusted contacts to push payment redirection or harvest credentials.”
Expanding on the damage potential, Filipek says: “For students and families, the fallout can range from identity fraud attempts to harassment and doxxing, plus the quieter, longer-term damage of having educational affiliation and contact details circulating in criminal markets.”
In terms of the wider context, Filipek points out: “This situation feels eerily familiar. Last year’s PowerSchool breach demonstrated how attackers can monetize education data at scale through extortion. Both attacks exploited weak points in SaaS configurations and pressured the victims through a leak website with the goal of being paid a hefty ransom.”
Learning institutions are especially vulnerable: “Educational institutions and learning platforms should tighten their third-party and contractor access with least privilege access controls and strong multi-factor authentication.”
In terms of preventative advice, Filipek recommends: “Further, they should back that up with centralized, continuously managed monitoring and response plus automated configuration and vulnerability governance to eliminate risky access paths and ensure misconfigurations are identified, prioritized, and remediated quickly, before attackers can turn them into leverage.”
