Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Apr 15, 2026 · 5 min read

McGraw-Hill Got Breached Through Salesforce—ShinyHunters Threatened to Leak 45 Million Records

A misconfiguration in Salesforce's environment gave hackers a way in. The $2.2 billion publisher says the exposed data is limited, but the extortion group tells a very different story.

Corporate office building with scattered digital documents symbolizing a data breach through cloud services

What Happened

McGraw-Hill, one of the largest education publishers in the world, confirmed on April 14, 2026, that hackers gained unauthorized access to data hosted on its Salesforce platform. The breach came to light after the extortion group ShinyHunters publicly claimed responsibility and threatened to leak the stolen information unless ransom demands were met.

ShinyHunters says it holds 45 million Salesforce records containing personally identifiable information. McGraw-Hill disputes that characterization, stating that the exposed data is limited and does not include Social Security numbers, financial account details, or student platform data. The gap between those two accounts is wide enough to worry anyone whose information may have been involved.

How the Breach Occurred

The attack vector was not a sophisticated exploit or zero day vulnerability. It was a misconfiguration in Salesforce's environment that left a webpage accessible to unauthorized users. McGraw-Hill described it as "part of a broader issue involving a misconfiguration within Salesforce's environment that has impacted multiple organizations."

This is a pattern that security professionals have seen repeatedly: cloud platforms offer powerful tools, but their default configurations are not always secure. When organizations deploy Salesforce instances without tightening access controls, they can inadvertently expose customer data, internal records, and business logic to anyone who knows where to look. McGraw-Hill says it immediately secured the affected webpages after detecting the unauthorized access.

ShinyHunters' Track Record

ShinyHunters is not a new threat actor. The group has been behind some of the highest profile breaches of the past two years, including attacks against Snowflake customers through the Anodot analytics platform, Rockstar Games, Hims & Hers through Zendesk, and the European Commission's AWS infrastructure.

Their method follows a consistent playbook: compromise a third party platform or service provider, extract data at scale, then threaten to publish it unless the victim pays. The McGraw-Hill breach fits this model precisely. Rather than attacking McGraw-Hill's core systems directly, ShinyHunters exploited the gap between a SaaS platform's configuration and the customer's expectations of security.

The Salesforce Misconfiguration Problem

McGraw-Hill's statement that this was a "broader issue" affecting "multiple organizations" is significant. Salesforce misconfigurations have been a recurring source of data exposures across industries. Common issues include overly permissive guest user access, improperly configured sharing rules, and exposed API endpoints that return data without authentication.

For compliance officers and IT teams, this breach underscores a critical reality: adopting a major SaaS platform does not transfer your security responsibilities to the vendor. Shared responsibility models mean the platform secures its infrastructure, but the customer must secure its own configurations, access controls, and data governance policies. When those lines blur, attackers like ShinyHunters find the gaps.

What Data Was Actually Exposed

The conflicting claims make it difficult to assess the true scope of the breach:

  • ShinyHunters' claim: 45 million Salesforce records containing personally identifiable information
  • McGraw-Hill's position: A limited dataset with no SSNs, no financial data, and no student educational platform data

McGraw-Hill emphasized that the breach did not involve access to its Salesforce accounts, customer databases, courseware, or internal systems. However, the company has not specified exactly what types of personal information were in the exposed dataset. For the millions of students, educators, and institutions that rely on McGraw-Hill's platforms, this ambiguity is not reassuring.

What You Should Do

Whether you are a McGraw-Hill user, a Salesforce administrator, or someone concerned about third party data exposure, there are concrete steps to take:

  • Change your McGraw-Hill password if you have an account, and enable multi factor authentication if available
  • Monitor your email for phishing attempts referencing McGraw-Hill, Salesforce, or educational services. Breach victims are frequently targeted with follow up scams
  • Audit your Salesforce configurations if you administer a Salesforce instance. Review guest user permissions, sharing rules, and API access controls
  • Watch for official notifications from McGraw-Hill. Class action investigations have already been announced by law firms

The McGraw-Hill breach is another reminder that your data security is only as strong as the weakest link in your vendor chain. When a single misconfiguration can expose millions of records, the question is not whether your SaaS providers will be targeted, but when.