McGraw-Hill's 13.5M-Record Salesforce Breach: Why Cloud Misconfiguration Is the Silent SAMA CSCC Compliance Failure

On April 14, 2026, ShinyHunters added McGraw-Hill to its dark web extortion site and distributed over 100 GB of data containing 13.5 million unique email addresses, names, physical addresses, and phone numbers — all traced back to a single Salesforce misconfiguration. The company acknowledged the incident but insisted it "did not involve unauthorized access to McGraw Hill's Salesforce accounts or internal systems." That distinction is precisely the problem: a misconfigured web resource hosted on a SaaS platform is still your data, and regulators hold you responsible for it.

What Happened: The Salesforce Misconfiguration Vector

McGraw-Hill's breach stemmed from a publicly accessible Salesforce Experience Cloud page — a web-facing resource that was not properly locked down with authenticated access controls. ShinyHunters exploited this exposure to exfiltrate structured data from Salesforce's environment, a pattern the threat group has used repeatedly across multiple organizations this year. This is not a Salesforce platform vulnerability; it is a customer-side configuration failure. The attacker did not need to exploit a CVE or bypass MFA — they simply walked through a door that was left open in a cloud portal configuration panel.

Industry data reinforces why this matters: 31% of organizations that experienced a cloud data breach attribute the root cause to misconfiguration or human error — a figure that exceeds breaches caused by vulnerability exploits and weak MFA enforcement combined. Gartner estimates that through 2026, 99% of cloud security failures will be the customer's fault, not the cloud provider's. McGraw-Hill is the latest confirmation of that prediction.

Why Saudi Financial Institutions Are Particularly Exposed

Saudi banks, insurers, and payment processors operate complex multi-cloud and SaaS ecosystems — Microsoft 365, Salesforce CRM, ServiceNow, SAP SuccessFactors, and dozens of third-party integrations — many of which were deployed rapidly during digital transformation programs between 2022 and 2025. Each SaaS platform exposes configuration surfaces: sharing permissions, guest access policies, API key scopes, public portal settings, and external collaboration links. Security teams focused on network perimeter and endpoint controls often have no visibility into these SaaS-layer exposures.

The specific risk with Salesforce in the Saudi financial sector is acute. Many SAMA-regulated institutions use Salesforce Financial Services Cloud for customer relationship management, loan origination, and claims processing — meaning any misconfigured Experience Cloud portal or improperly scoped API credential can expose regulated customer data directly. A breach of this kind does not just create reputational damage: it triggers mandatory notification obligations under the Personal Data Protection Law (PDPL), potential enforcement action from the Saudi Data and Artificial Intelligence Authority (SDAIA), and findings in the next SAMA Cyber Security Framework (CSCC) assessment.

The SAMA CSCC and NCA ECC Control Gaps This Breach Exposes

SAMA CSCC Domain 4 (Third-Party Cybersecurity) requires member organizations to assess and continuously monitor the security posture of third-party service providers, including SaaS platforms. A misconfiguration review of Salesforce portals, permission sets, and API integrations falls squarely within this domain. CSCC Domain 3 (Cybersecurity Operations) further requires continuous monitoring of cloud-hosted assets — a control that is unmet when security teams lack a Cloud Security Posture Management (CSPM) tool that covers SaaS environments, not just IaaS and PaaS.

NCA ECC-1: 3-3 similarly mandates that organizations maintain an up-to-date inventory of all information assets, including cloud-hosted resources. Experience Cloud portals, connected apps, and Salesforce Communities are information assets under this definition. If they are not in your asset inventory, they are not in your threat model, and they are not being monitored. The McGraw-Hill breach illustrates exactly what that gap looks like when exploited.

Practical Steps to Harden Your Salesforce Posture Before Your Next SAMA Review

1. Run a Salesforce Security Health Check immediately. Salesforce provides a native Health Check tool within Setup → Security Center. Any setting scoring below 70% in Critical Risk categories — particularly around guest user access, sharing rules, and public site authentication — requires immediate remediation. Pay special attention to Experience Cloud (formerly Community Cloud) sites: confirm that every public-facing page requires authenticated access unless explicitly approved by your security team.
2. Audit Connected Apps and OAuth scopes. Pull a full list of Connected Apps in your Salesforce org and review the OAuth scopes granted to each. Applications granted "Full Access" or "Access and manage your data" with no IP restrictions or refresh token expiry should be flagged for review. Revoke any integrations that are no longer in active use — dormant OAuth grants are a persistent exposure that rarely appear in standard access reviews.
3. Deploy a SaaS Security Posture Management (SSPM) tool. Tools such as Adaptive Shield, Obsidian Security, and DoControl provide continuous misconfiguration monitoring across Salesforce, Microsoft 365, ServiceNow, and other SaaS platforms. They surface drift from your security baseline in real time, generating alerts when a guest user policy is loosened or a public site goes live without MFA enforcement. For SAMA CSCC Domain 4 evidence, SSPM reports are directly mappable to third-party monitoring controls.
4. Include SaaS portals in your PDPL data mapping exercise. If your Salesforce org holds personal data on Saudi residents — which it almost certainly does if it touches customer or employee records — that data must appear in your PDPL Article 29 data processing records. Map each Salesforce object class (Contact, Lead, Person Account) to its PDPL legal basis, retention schedule, and data residency status. A misconfigured portal that leaks this data creates an incident reportable to SDAIA under Article 40 within 72 hours of discovery.
5. Add SaaS misconfiguration to your Threat Intelligence consumption loop. ShinyHunters has now publicly documented their methodology against Salesforce Experience Cloud environments. Your SOC should be monitoring threat intelligence feeds — including HaveIBeenPwned, Recorded Future, and CISA advisories — for indicators that your organization's Salesforce domain has been indexed by exposure scanners such as Shodan or FOFA. Proactive detection is significantly cheaper than post-breach notification.

The Broader Pattern: SaaS Is the New Perimeter

The McGraw-Hill breach is not an isolated incident. It is the latest in a long pattern of breaches — Twilio, CircleCI, Sisense, Anodot, and now McGraw-Hill — where the attack surface was not a traditional network endpoint but a SaaS configuration setting. Traditional security architectures built around firewalls, VPNs, and endpoint agents provide near-zero protection against this threat class. As Saudi financial institutions continue migrating workloads to cloud-native platforms under Vision 2030 digital transformation mandates, the SaaS configuration surface will expand. Without SSPM coverage, each new SaaS integration is an unmapped, unmonitored exposure waiting to be discovered — by your security team or by ShinyHunters.

Conclusion

A misconfigured Salesforce portal just cost McGraw-Hill the personal data of 13.5 million people. For a SAMA-regulated institution, the same misconfiguration would also trigger PDPL notification obligations, SAMA CSCC audit findings, and potential monetary penalties. The fix is not technically complex — it requires rigorous SaaS configuration governance, continuous posture monitoring, and explicit inclusion of SaaS environments in your asset inventory and threat model. The question is not whether your Salesforce org has misconfiguration risk; the question is whether you have discovered it before a threat actor does.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment — including a SaaS Security Posture review mapped to SAMA CSCC Domain 3 and Domain 4 controls.