Education publishing giant McGraw-Hill has publicly confirmed that a Salesforce Experience Cloud misconfiguration in its environment led to unauthorized access to customer data. The disclosure follows an extortion demand by the ShinyHunters cybercriminal group, which threatened to publish 45 million stolen Salesforce records unless a ransom was paid.
What McGraw-Hill Disclosed
In a statement released April 15, 2026, McGraw-Hill confirmed that hackers accessed data through a misconfigured guest user profile in its Salesforce Experience Cloud deployment. The company characterized the accessed data as "limited and non-sensitive" and said its core customer databases and internal enterprise systems were not compromised.
The vulnerable Salesforce webpages were identified and secured after the breach was discovered. McGraw-Hill did not publicly disclose the volume of records affected or the categories of data exposed, beyond stating that the data was hosted on Salesforce Experience Cloud.
ShinyHunters set an extortion deadline of April 14, 2026 — the day before McGraw-Hill's disclosure — threatening to publish the data if a ransom was not received.
The Broader ShinyHunters Salesforce Campaign
McGraw-Hill is one of hundreds of organizations caught in an expansive ShinyHunters operation targeting Salesforce Experience Cloud deployments with overly permissive guest user configurations.
The campaign timeline:
- September 2025 — ShinyHunters begins mass-scanning for exposed Salesforce Experience Cloud endpoints, targeting the
/s/sfsites/auraAPI path - January 2026 — Group weaponizes a modified version of AuraInspector, an open-source Salesforce audit tool originally developed by Mandiant, converting it from a detection tool to an active data exfiltration framework
- January–April 2026 — Active exfiltration from hundreds of organizations; ShinyHunters also discovers a
sortByparameter in Salesforce's GraphQL API that bypasses the 2,000-record-per-query limit, dramatically increasing extraction speed - March–April 2026 — Extortion demands sent to victims, with public disclosure threats as leverage
Security researchers estimate 300 to 400 organizations have been affected. ShinyHunters is the same group responsible for the 2024 Snowflake campaign that impacted Ticketmaster, AT&T, and over 160 other enterprises.
Why Salesforce Misconfigurations Are Dangerous
The Salesforce Experience Cloud platform itself has not been compromised. The vulnerability lies in how customers configure their deployments — a class of risk that Salesforce has consistently flagged but that organizations frequently overlook.
The core issue is the guest user profile: a special account that represents unauthenticated visitors to an Experience Cloud site. When administrators grant this profile excessive permissions — particularly the "API Enabled" system permission — external parties can query Salesforce CRM data directly via the Aura framework API, without ever logging in.
Common misconfigurations that enabled ShinyHunters' access:
| Misconfiguration | Risk |
|---|---|
| "API Enabled" on guest profile | Allows direct REST/Aura API access without authentication |
| Broad object-level permissions | Exposes CRM records (contacts, leads, accounts) to anonymous queries |
| "Portal User Visibility" enabled | Expands data visibility beyond intended scope |
| Self-registration without restrictions | Enables mass account creation for further access |
Remediation for Salesforce Administrators
Organizations using Salesforce Experience Cloud should audit their guest user profiles immediately:
- Remove "API Enabled" from the guest user system permissions
- Review all object permissions on the guest profile and apply least-privilege
- Disable guest access to public API endpoints unless explicitly required
- Uncheck "Portal User Visibility" and "Site User Visibility" in Sharing Settings
- Disable self-registration if not actively in use
- Run Salesforce Health Check to identify overprivileged configurations
Salesforce Setup → Users → Guest User → Edit Profile
→ System Permissions → Uncheck: API Enabled, View All Data
→ Object Settings → Review each object individually
Use the Salesforce Security Center and the community-contributed "Salesforce Misconfiguration Scanner" tool to assess exposure across Experience Cloud sites.
Context: McGraw-Hill and Education Sector Risk
McGraw-Hill is one of the largest educational content publishers in the world, serving K–12 schools, universities, and professional development markets across more than 130 countries. Its Salesforce deployment likely contains student and educator contact data, institutional customer records, and potentially data subject to educational privacy regulations such as FERPA (U.S.) and GDPR (EU).
The education sector has historically underinvested in cybersecurity relative to the sensitivity of data it handles. ShinyHunters' targeting of McGraw-Hill signals continued threat actor interest in education industry data, which commands value in credential and identity markets.