Education giant McGraw-Hill has confirmed a data breach caused by a misconfiguration in its Salesforce environment, with extortion group ShinyHunters claiming to hold 45 million records. The company says the exposed data was limited and didn’t include financial details or student records — but the breach itself is a sharp reminder that your data is only as secure as your SaaS configuration, as reported by BleepingComputer.

This matters for Australian not-for-profits more than you might think. Salesforce is one of the most widely used CRM platforms in the NFP sector — Salesforce for Nonprofits powers donor management, volunteer coordination, and grant tracking for thousands of organisations. A misconfiguration in how your Salesforce instance exposes data through APIs or community pages could put donor records, contact details, and sensitive case information at risk. Under the Australian Privacy Act, organisations handling personal information have clear obligations to protect it — and “our cloud provider was misconfigured” isn’t a defence the OAIC will accept.

The practical step here is straightforward: audit your SaaS platform configurations. Check who has API access, whether guest or community user permissions are correctly scoped, and whether any data is unintentionally exposed through public-facing pages. If you use Salesforce, review your sharing rules and guest user profiles specifically — these are the most common misconfiguration points.

Not sure where to start? All IT Services works with not-for-profits across Australia to review and secure their cloud platforms. Learn more about our NFP IT services or get in touch for a configuration review.