McGraw Hill, a leading educational publishing company in North America, has faced a cyber security incident, the vpnMentor research team said.
The hacker posted the data published on November 6, 2023 along with a description alleging that 90,875 users were affected.
According to the post, among the leaked information are full names, usernames, account IDs, phone numbers, email addresses, and home addresses. The database was posted behind a paywall; thus, the team couldn’t access the link to the full database and only saw the sample shared in the post.
The phone numbers and home addresses of the individuals exposed in the shared sample are blank, but those fields could be filled for other users in the full database. The post was made by a forum user who has previously shared several leaked or breached databases that were later proven to be authentic.
The vpnMentor team, in its capacity as cybersecurity researchers, contacted McGraw Hill to report the exposed information found on the forum.
In 2022, the vpnMentor team found and reported a McGraw Hill data leak that affected over 100,000 students. The exposure came from two misconfigured Amazon Web Services (AWS) S3 buckets belonging to McGraw Hill. The two servers contained over 22 TB of data spread across more than 117 million files. It is difficult to confirm whether the 2023 leak is related to the 2022 breach we discovered.
Based on the previous report, the format of the database and the lack of supporting documents and auxiliary files in the sample shared by the forum user suggest that the 2023 leak originated from a different component of McGraw Hill’s systems rather than the vulnerability found in the year prior.
However, there are parallels between the naming convention for the.edu emails in the sample the hacker posted and the report we published. This indicates that the recently leaked data is most likely to be authentic.
Hackers can potentially use the exposed PII to commit various types of online fraud or cyberattacks. The PII included in the leak could be used for identity theft, doxing, or phishing attempts. For instance, cybercriminals could pose as renowned companies or organizations and send the affected individuals emails that may convince them to provide additional sensitive information — such as banking information or social security numbers — or click on malware-carrying links.