Salesforce misconfiguration breaches have become a systemic problem in 2026, with education giant McGraw Hill the latest high-profile victim. The company confirmed unauthorized access to data hosted on a Salesforce-managed webpage, joining dozens of other organizations caught in what security researchers are calling a broader architectural flaw within Salesforce’s platform environment.
Key Takeaways
- McGraw Hill suffered unauthorized access to limited data from a Salesforce-hosted webpage due to platform misconfiguration
- Threat actor ShinyHunters claims to hold 45 million Salesforce records containing personally identifiable information
- Separate threat group Scattered LAPSUS$ Hunters targeted approximately 40 Salesforce customers through vishing and modified software
- Exposed data does not include Social Security numbers, financial information, or student educational records
- ShinyHunters issued a final extortion deadline of 14 April 2026 before threatening to leak data
What Happened in the McGraw Hill Breach
McGraw Hill identified unauthorized access to a limited dataset stored on a Salesforce webpage on 11 April 2026, discovering the intrusion the following day. The company moved quickly to secure the affected webpages and engaged Salesforce and external cybersecurity experts to investigate. Critically, the breach did not involve direct access to McGraw Hill’s Salesforce accounts, customer databases, internal courseware systems, or core infrastructure.
The exposed data does not contain Social Security numbers, financial account details, or student records from McGraw Hill’s educational platforms. McGraw Hill’s statement emphasized the limited nature of what was exposed: “This activity appears to be part of a broader issue involving a misconfiguration within Salesforce’s environment that has impacted multiple organizations that work with Salesforce,” a company spokesperson told BleepingComputer. This framing is significant because it shifts responsibility from McGraw Hill’s own security posture to Salesforce’s platform architecture.
The Threat Actor’s Contradictory Claims
ShinyHunters, the threat group behind the breach, tells a different story. The group claims to have stolen 45 million Salesforce records containing personally identifiable information. The discrepancy between McGraw Hill’s assertion of “limited, non-sensitive data” and ShinyHunters’ claim of millions of PII records remains unresolved. ShinyHunters issued an extortion threat with a deadline: “Pay or leak. This is a final warning to reach out by 14 Apr 2026 before we leak along with several annoying (digital) problems that’ll come your way”.
The ransom amount was not publicly disclosed, but the threat’s timing—issued just before breach discovery reports surfaced—suggests the group was applying pressure as news of the incident spread. ShinyHunters has proven prolific in 2026, claiming breaches at Rockstar Games, Hims & Hers, the European Commission, Telus Digital, Wynn Resorts, Canada Goose, Match Group, Panera Bread, and CarGurus.
Salesforce Misconfiguration Breaches Extend Far Beyond McGraw Hill
McGraw Hill is not an isolated incident. A separate threat group, Scattered LAPSUS$ Hunters, has targeted approximately 40 Salesforce customers using social engineering and malicious software. Their attack method is particularly concerning: they used vishing (voice phishing) to trick employees into downloading a modified version of Salesforce’s Data Loader application. This approach bypasses traditional perimeter defenses by compromising legitimate tools that users trust.
One documented victim, FedEx, lost 1.1 terabytes of data containing 166 million personally identifiable information records on 31 August 2025. The scale of that breach illustrates how catastrophic a single misconfiguration can become when exploited at enterprise scale. Unlike McGraw Hill’s breach, which the company claims was limited, the Scattered LAPSUS$ Hunters campaign demonstrates that Salesforce misconfigurations can expose massive datasets when threat actors gain access to core customer systems.
Why Salesforce Misconfiguration Breaches Matter Now
Salesforce is not a niche platform—it powers customer relationship management for millions of enterprises globally. When Salesforce’s default configurations leave data accessible, the blast radius is enormous. These breaches suggest that either Salesforce’s default security settings are insufficient, organizations are failing to properly configure their instances, or both. The platform’s complexity may be a contributing factor; enterprises often struggle to understand which data is exposed and which is protected.
The timing of these incidents—multiple breaches from different threat groups in the same quarter—indicates that word has spread in criminal underground forums about how to exploit Salesforce misconfigurations. Once a technique works, threat actors share it, and the attacks accelerate. Organizations using Salesforce now face a credibility problem: they must assume their data may already be exposed unless they can prove otherwise.
What McGraw Hill’s Response Reveals
McGraw Hill’s statement carefully distinguishes between what was exposed and what was protected. The company emphasizes that student data, courseware, and financial systems remained secure. This framing suggests McGraw Hill is attempting to minimize reputational damage by separating the breach from its core educational mission. However, the exposure of any personally identifiable information from a Salesforce webpage raises questions about what other data might be accessible through similar misconfigurations.
The company worked with Salesforce and external cybersecurity experts to investigate and remediate. This collaborative approach is standard practice, but it also highlights a troubling dynamic: organizations are dependent on Salesforce to help them understand what they have exposed. If Salesforce’s visibility into misconfigurations is incomplete, organizations may never know the true scope of what was compromised.
FAQ
What is a Salesforce misconfiguration?
A Salesforce misconfiguration occurs when an organization fails to properly restrict access to data stored on Salesforce’s platform, leaving sensitive information accessible to unauthorized parties. In the McGraw Hill case, a webpage hosted by Salesforce was left exposed due to incorrect permission settings.
Does Salesforce misconfiguration breach mean my data is at risk?
If your organization uses Salesforce, you should audit your instance’s access controls immediately. The McGraw Hill breach and the Scattered LAPSUS$ Hunters campaign both exploited configuration weaknesses that are preventable with proper security hygiene. However, the fact that multiple threat groups are actively targeting Salesforce customers suggests that some organizations have already been compromised.
How many people were affected by the McGraw Hill Salesforce misconfiguration breach?
McGraw Hill claims the breach exposed a limited dataset, but ShinyHunters claims to hold 45 million Salesforce records containing personally identifiable information. The true scope of exposure remains unclear, and affected individuals may not know they are included in the compromised data.
The McGraw Hill breach is a symptom of a larger problem: Salesforce’s platform architecture and default configurations are creating exploitable gaps that threat actors are actively weaponizing. Organizations cannot assume their Salesforce instances are secure without rigorous, ongoing audits. For Salesforce customers, the question is no longer if they should worry about misconfiguration breaches, but when they should expect to discover one.
This article was written with AI assistance and editorially reviewed.
Source: TechRadar
