Education publishing giant McGraw-Hill has confirmed a data breach after hackers exploited a misconfiguration in its Salesforce Experience Cloud deployment and threatened to publish stolen data. The breach is part of a broader campaign by the ShinyHunters extortion group targeting hundreds of organizations worldwide.
What Happened
McGraw-Hill issued a statement confirming that unauthorized access occurred through a misconfigured Salesforce Experience Cloud guest user profile. According to the company, hackers accessed a "limited and non-sensitive" set of data hosted on a Salesforce Experience Cloud webpage. Customer databases and internal systems were not affected, and the vulnerable webpages were secured immediately upon discovery.
ShinyHunters set an extortion deadline of April 14, 2026, threatening to publicly leak the stolen data if a ransom was not paid. The group claims to have stolen 45 million Salesforce records containing personally identifiable information from McGraw-Hill's deployment.
The ShinyHunters Salesforce Campaign
McGraw-Hill is one victim in a much larger operation. ShinyHunters began scanning the internet for exposed Salesforce Experience Cloud endpoints in September 2025, targeting the /s/sfsites/aura API path. By January 2026, the group had weaponized a modified version of AuraInspector — an open-source Salesforce security auditing tool originally developed by Mandiant — to actively extract data rather than merely detect misconfigurations.
The group also discovered that the sortBy parameter in Salesforce's GraphQL API bypassed the standard 2,000-record-per-query limit, dramatically accelerating their data exfiltration capability. Researchers estimate approximately 300–400 organizations have been targeted in this campaign.
ShinyHunters is the same group behind the high-profile 2024 Snowflake customer breach campaign that impacted Ticketmaster, AT&T, and hundreds of other enterprises.
Root Cause: Salesforce Guest User Misconfiguration
Salesforce's Experience Cloud platform is not itself compromised. The vulnerability lies in how organizations configure their deployments. When the guest user profile — which represents unauthenticated visitors — is granted excessive permissions, attackers can query Salesforce CRM objects directly without logging in.
Common misconfiguration errors that enabled this campaign:
- "API Enabled" permission on the guest user profile (allows direct API queries)
- Excessive object permissions on the guest profile (read access to sensitive CRM records)
- "Portal User Visibility" and "Site User Visibility" sharing settings left enabled
- Self-registration enabled without restrictions
Mitigation: Salesforce Administrators
Salesforce has provided guidance for customers to audit and harden their Experience Cloud deployments:
- Remove "API Enabled" from the guest user profile
- Audit all object permissions on guest profiles — apply least privilege
- Disable guest access to public APIs if not required
- Uncheck "Portal User Visibility" and "Site User Visibility" in Sharing Settings
- Disable self-registration if not actively used
- Review Experience Cloud page configurations for any endpoints exposing sensitive objects
Salesforce Setup → Users → Guest User → System Permissions
→ Uncheck: API Enabled
→ Uncheck: View All Data
→ Review all Object permissions individually
Organizations unsure whether their deployments are affected should engage a Salesforce security specialist or use Salesforce's built-in Health Check tool to identify permission overgrowth.
Impact and Context
McGraw-Hill is a major educational content publisher serving K–12, higher education, and professional markets globally. While the company downplayed the sensitivity of the accessed data, any exposure of student or educator PII carries significant implications under FERPA and various state privacy regulations.
The broader ShinyHunters Salesforce campaign represents a shift in the group's tactics: rather than exploiting application vulnerabilities, they are systematically harvesting data from legitimately deployed platforms where customers have left security guardrails unconfigured — a pattern that is difficult to detect and attribute quickly.