Educational publishing giant McGraw Hill has confirmed a significant data breach following an extortion attempt by the ShinyHunters threat group, resulting in the exposure of over 13.5 million user records. The incident, which surfaced in April 2026, is now independently verified by Have I Been Pwned (HIBP).
What Happened
McGraw Hill confirmed that hackers exploited a Salesforce misconfiguration and accessed its data, assuring that the breach did not affect its Salesforce accounts, customer databases, or internal systems, and that the amount of exposed data is limited and non-sensitive.
The company confirmed ShinyHunters’ breach claims in a statement shared with BleepingComputer, saying the threat actors exploited a misconfiguration in the compromised Salesforce environment and that the incident didn’t affect its Salesforce accounts, courseware, customer databases, or internal systems.
McGraw Hill stated: “This activity appears to be part of a broader issue involving a misconfiguration within Salesforce’s environment that has impacted multiple organizations that work with Salesforce.”
The ShinyHunters Extortion Play
The incident surfaced after the ShinyHunters extortion group claimed it had obtained up to 45 million Salesforce records tied to McGraw Hill, alleging the data includes personally identifiable information (PII) and threatening to release it.
The notorious extortion group ShinyHunters initially threatened to drop 45 million records if a ransom wasn’t met. When negotiations broke down, the group followed through, dumping over 100GB of data.
Exposed Data — What’s in the Wild
More than 100GB of data was publicly distributed, containing 13.5 million unique email addresses across multiple files, with additional fields such as name, physical address, and phone number appearing inconsistently across some records.
While nearly half of the exposed email addresses had appeared in previous breach collections, a substantial portion are newly exposed, increasing the risk for affected individuals. Even in the absence of passwords, the combination of contact details can be leveraged in phishing campaigns, identity fraud, and other social engineering attacks.
The Salesforce Angle
Most Salesforce compromises don’t stem from flaws in Salesforce itself, but from stolen credentials, abused OAuth apps, or over-permissioned integrations that give attackers legitimate access to quietly pull data.
A Salesforce spokesperson said there is no evidence the platform was compromised or that the incident was caused by a known vulnerability of the platform.
ShinyHunters — Pattern of Targeting
Before the purported attack against McGraw Hill, ShinyHunters previously alleged breaching U.S. education technology firm Infinite Campus and other organizations, including Telus Digital, the European Commission, Wynn Resorts, Match Group, Rockstar Games, Hims & Hers, and Panera Bread.
Recommendations
Organizations using Salesforce or any cloud-hosted CRM/SaaS environment should immediately audit third-party integration permissions and review misconfiguration exposure surfaces. Specific actions include:
- Audit all externally accessible Salesforce-hosted pages and portals
- Review OAuth app permissions and third-party connector scopes
- Enable Salesforce Shield or equivalent data activity monitoring
- Validate data minimization practices on customer-facing web properties
- Monitor for credential abuse and anomalous API access patterns
McGraw Hill customers and users should remain vigilant for spear-phishing campaigns leveraging the exposed PII and monitor their email addresses via HIBP or equivalent breach notification services.
