McGraw Hill, one of the world’s largest educational publishers, confirmed on 14 April 2026 that it suffered a data breach affecting approximately 13.5 million customer accounts. The breach was disclosed under duress: the ShinyHunters cybercriminal group claimed to have stolen 45 million records from McGraw Hill’s Salesforce environment and threatened public release if a ransom was not paid by 14 April. When negotiations evidently failed, over 100GB of data was published on ShinyHunters’ dark web leak site.
What Was Compromised
McGraw Hill’s disclosure characterises the exposed data as names, physical addresses, phone numbers, and email addresses. The company emphasised that Social Security numbers, financial account data, and student educational records were not part of the breach. McGraw Hill also stated the intrusion did not affect its own Salesforce accounts, courseware systems, or internal databases — framing the incident as a Salesforce-side exposure rather than a breach of McGraw Hill-controlled systems directly.
That distinction matters for how McGraw Hill frames its liability, but it changes very little for the 13.5 million individuals whose contact data is now publicly available. Names, phone numbers, email addresses, and physical addresses constitute the core dataset for spear-phishing, vishing, and address-based fraud. For customers who used McGraw Hill’s platforms for professional training or certification — a significant portion of its user base — the combination of professional context and contact data increases targeting precision for social engineering attacks.
The Salesforce Misconfiguration
McGraw Hill’s public statement contained a notable qualifier: the breach “appears to be part of a broader issue involving a misconfiguration within Salesforce’s environment that has impacted multiple organisations.” This language — carefully attributed to Salesforce’s environment rather than McGraw Hill’s configuration — signals that other organisations are likely affected by the same underlying issue.
The technical specifics of the misconfiguration have not been publicly confirmed. However, Salesforce misconfigurations that result in data exposure most commonly involve guest user access permissions (allowing unauthenticated queries to object records), misconfigured sharing rules (making records world-readable within or across communities), or API credential exposure enabling programmatic data extraction. The scale of the claimed theft — 45 million records across an organisation McGraw Hill’s size — suggests either a broad permission misconfiguration rather than a narrow credential compromise, or that the ShinyHunters claim encompasses data from multiple affected organisations.
ShinyHunters’ Expanding Campaign
The McGraw Hill breach is the latest in a sustained 2026 campaign by ShinyHunters — one of the most active extortion groups targeting cloud-hosted data. The group was responsible for the Anodot breach via Snowflake integration (April 2026), the Rockstar Games Salesforce exposure (April 2026), Infinite Campus K-12 student records breach (March 2026), and dozens of other incidents. The repeated appearance of Salesforce environments as the common factor across multiple recent ShinyHunters victims suggests the group has developed specific capability — whether via compromised Salesforce credentials, API access, or knowledge of systematic misconfiguration patterns — that makes Salesforce-adjacent organisations repeatable targets.
Recommended Actions
For all organisations using Salesforce:
- Audit Guest User access permissions immediately. Guest users (unauthenticated users accessing Experience Cloud or community sites) should have access to only the specific objects required for their function. Review all object-level, record-level, and field-level sharing rules applied to the Guest User profile.
- Review Connected App OAuth scopes: Third-party applications connected via OAuth should have the minimum scopes required. Revoke any connected app with
fullorrefresh_tokenscopes that is not an actively managed integration. - Enable Salesforce Shield or Event Monitoring to log data export operations, API calls, and login activity — particularly for users or integrations with access to large volumes of customer records.
- Audit external-facing Community or Experience Cloud sites: These are the most common source of unintended public record exposure when Guest User permissions are misconfigured.
- Review Salesforce Health Check: Salesforce’s built-in Health Check tool identifies critical security setting deviations against the Salesforce Baseline Standard. Run it and remediate all items rated as risk.
For individuals with McGraw Hill accounts:
- Be alert to highly targeted phishing, vishing, and smishing attempts that reference educational content or professional development — attackers with your name, phone, and email can craft convincing pretexts.
- If you use the same email address and password on McGraw Hill as on other services, rotate credentials for all shared accounts immediately.
Broader Context
The pattern of ShinyHunters targeting Salesforce-connected organisations — now including at least three confirmed victims in April 2026 alone — points to a systematic campaign rather than opportunistic breaches. SaaS platforms hold extraordinary concentrations of customer data on behalf of their clients, and the shared responsibility model for cloud security places the burden of correct configuration firmly on the client organisation. The question being tested in the McGraw Hill case is where that boundary lies when the misconfiguration appears to reside in Salesforce’s own environment rather than a client’s configuration choices.
Share this article