McGraw-Hill: Data Breach Confirmed After ShinyHunters Extortion Threat

Education publishing giant McGraw-Hill has confirmed that hackers exploited a Salesforce misconfiguration to access internal data, following an extortion threat from the ShinyHunters group. The confirmation, reported by BleepingComputer on April 14, comes as ShinyHunters claims to hold 45 million Salesforce records containing personally identifiable information and threatens to leak the data if a ransom is not paid. McGraw-Hill, a $2.2 billion annual revenue company serving K-12 schools and universities worldwide, disputes the severity of the exposure.

What Happened

McGraw-Hill identified unauthorized access to data hosted on a webpage within its Salesforce environment. The company attributes the breach to a misconfiguration within Salesforce's platform, noting it was "part of a broader issue" affecting multiple organizations that work with Salesforce. Upon detection, McGraw-Hill secured the affected webpages and engaged external cybersecurity experts to investigate. The company is coordinating with Salesforce to strengthen protections and fully remediate the issue. ShinyHunters posted McGraw-Hill on its dark-web extortion portal with an April 14 deadline for ransom payment.

What Was Taken

The scope of compromised data remains disputed. ShinyHunters claims possession of 45 million Salesforce records containing PII. McGraw-Hill counters that the exposed data is "limited and non-sensitive," explicitly stating that no Social Security numbers, financial account information, or student data from educational platforms were compromised. The company also asserts that its Salesforce accounts, customer databases, courseware, and internal systems were not accessed. The gap between the threat actor's claims and the company's statement is significant and unresolved.

Why It Matters

This incident carries weight for several reasons. First, McGraw-Hill handles data for millions of students across K-12 and higher education, making any breach involving an education provider a sensitive matter regardless of what was ultimately exfiltrated. Second, the attack vector, a Salesforce misconfiguration affecting multiple organizations, signals a systemic exposure rather than a targeted compromise of McGraw-Hill alone. Defenders across any industry relying on Salesforce-hosted pages should treat this as a direct warning. Third, ShinyHunters continues to operate at a high tempo in 2026, having already hit Rockstar Games and Hims & Hers this year. Their pattern of exploiting third-party platform misconfigurations rather than breaching core infrastructure directly shows an evolution in how extortion groups select and compromise targets.

The Attack Technique

The breach exploited a misconfiguration in Salesforce's environment, specifically on webpages hosted by Salesforce on behalf of McGraw-Hill. This aligns with a known class of vulnerabilities in Salesforce Communities and Sites where overly permissive guest user access, exposed Aura API endpoints, or misconfigured sharing rules can allow unauthenticated users to query and extract records at scale. McGraw-Hill's own statement acknowledges this was not an isolated incident but part of a broader misconfiguration issue impacting multiple Salesforce customers. The attack did not require compromising credentials or exploiting a zero-day; it leveraged existing access controls that were improperly configured.

Who Is ShinyHunters

ShinyHunters is a well-established data extortion group active since at least 2020, known for breaching high-profile targets and selling or leaking stolen data. In 2026 alone, confirmed victims include Rockstar Games and Hims & Hers, both involving third-party platform compromises. The group operates an extortion portal on the dark web where victims are listed with countdown timers, pressuring payment before data is released publicly. ShinyHunters has historically targeted cloud services, SaaS platforms, and developer repositories, favoring misconfigurations and exposed APIs over traditional network intrusion.

What Organizations Should Do

Audit Salesforce configurations immediately. Review guest user permissions, Aura endpoint exposure, object-level security, and sharing rules across all Salesforce Communities and Sites instances.
Inventory externally facing Salesforce pages. Identify every webpage hosted by Salesforce on your behalf and verify that access controls enforce least privilege for unauthenticated users.
Monitor for bulk data access patterns. Implement alerting on anomalous query volumes against Salesforce APIs, particularly from guest or unauthenticated sessions.
Engage Salesforce directly. Request a configuration review from Salesforce support, especially if your organization was onboarded before recent security defaults were tightened.
Prepare breach notification procedures. If your organization uses Salesforce and handles PII, ensure incident response playbooks account for third-party platform compromise scenarios where you may not control the root cause.
Track ShinyHunters activity. Monitor dark-web extortion portals and threat intelligence feeds for mentions of your organization or your SaaS providers as an early warning indicator.

Sources: McGraw-Hill confirms data breach following extortion threat