The ShinyHunters extortion group has leaked data from 13.5 million McGraw Hill user accounts, stolen after the threat actors breached the educational publisher's Salesforce environment. The leak, now confirmed by McGraw Hill, exposes names, physical addresses, phone numbers, and email addresses — data that could be weaponized for targeted phishing against students and educators worldwide.
How the Breach Happened
The attack vector was not a sophisticated zero-day or novel exploit. ShinyHunters exploited a misconfiguration in McGraw Hill's Salesforce environment that left a webpage accessible to unauthorized users. McGraw Hill confirmed the breach in a statement to BleepingComputer, acknowledging that threat actors exploited a Salesforce misconfiguration but asserting the incident did not affect its Salesforce accounts, courseware, customer databases, or internal systems.
The company stated the affected webpages were secured immediately after detecting unauthorized activity, and that it is working with Salesforce to further strengthen protections.
ShinyHunters' Extortion Campaign
After the breach, ShinyHunters added McGraw Hill to its dark web leak site, claiming to have stolen 45 million Salesforce records containing PII. The group issued an ultimatum: pay a ransom demand by April 14, 2026, or have the data published publicly.
McGraw Hill did not pay. ShinyHunters followed through, and breach notification service Have I Been Pwned (HIBP) has since catalogued the leak, identifying 13.5 million accounts across more than 100GB of released files.
The exposed data includes:
- Full names
- Physical addresses
- Phone numbers
- Email addresses
McGraw Hill confirmed that Social Security numbers, financial account information, and student platform data were not included in the exposed dataset.
McGraw Hill's Broader Deflection
The company pushed back on framing the incident as primarily its own failure, telling media outlets that the activity "appears to be part of a broader issue involving a misconfiguration within Salesforce's environment that has impacted multiple organizations."
Security researchers have noted a tension between that framing and the reality on the ground. Ross Filipek, CISO at Corsica Technologies, pointed out the gap: "McGraw-Hill says attackers abused a Salesforce misconfiguration to access a limited, 'non-sensitive' dataset, while ShinyHunters is publicly claiming far more, including tens of millions of Salesforce records with personally identifiable information."
Whether the misconfiguration was in Salesforce's core platform or in McGraw Hill's specific Salesforce configuration remains a point of contention.
Who Is McGraw Hill?
Founded in 1909, McGraw Hill is one of the world's largest educational publishers, generating approximately $2.2 billion in annual revenue. The company serves learners from PreK through higher education and professional development, with a global customer base spanning universities, schools, and corporate training programs. The scale of its user database — and the sensitivity of data involving students — makes this breach particularly consequential.
ShinyHunters' Ongoing Extortion Spree
This breach is the latest in a string of high-profile incidents tied to ShinyHunters in 2026. The group has claimed confirmed breaches against:
| Target | Claimed Data |
|---|---|
| Rockstar Games | Analytics and internal data |
| Hims & Hers | Healthcare-adjacent customer PII |
| European Commission | Government records |
| Telus Digital | Employee and customer data |
| Canada Goose | ~600,000 customer records |
| Panera Bread | 5 million user records |
| Infinite Campus | 11 million student records (threatened) |
| CarGurus | Automotive marketplace data |
ShinyHunters' playbook is consistent: compromise a SaaS platform or its configuration, extract data at scale, threaten public disclosure, and — when ransom is refused — publish. The group is not known for encryption-based ransomware; their leverage is pure data extortion.
What Affected Users Should Do
If you have ever registered with McGraw Hill, ConnectED, or related McGraw Hill educational platforms, your data may have been included in the breach:
- Monitor for phishing — The combination of name, email, address, and phone enables convincing spear-phishing. Be skeptical of emails referencing your McGraw Hill account.
- Check Have I Been Pwned — Search your email address at haveibeenpwned.com to see if it appears in the McGraw Hill dataset.
- Update passwords — Although passwords were not confirmed in the leak, use the event as an opportunity to rotate credentials and enable multi-factor authentication where available.
- Watch for credential stuffing — If you reused your McGraw Hill email and password elsewhere, update those accounts immediately.
Salesforce Configuration Risk
This incident is a reminder that SaaS misconfiguration is among the most underappreciated attack vectors in enterprise security. Salesforce environments that expose data via incorrectly scoped public pages, guest user permissions, or community portals have been targeted repeatedly across the industry. Organizations using Salesforce should:
- Audit all public-facing Salesforce pages and Community portals
- Review guest user permissions and object-level access
- Enable Salesforce Shield for field-level encryption and event monitoring
- Run the Salesforce Security Health Check regularly
- Restrict Salesforce API access to known IP ranges where possible
Source: BleepingComputer, The Register, Security Magazine, SC Media