Education publishing giant McGraw-Hill has confirmed a data breach after the extortion group ShinyHunters listed the company on its dark-web portal and threatened to leak stolen data by April 14 unless a ransom was paid. The company disclosed to BleepingComputer that attackers exploited a Salesforce misconfiguration to access internal data. ShinyHunters claims to hold 45 million Salesforce records containing personally identifiable information, a figure McGraw-Hill disputes, stating the exposed data is limited and non-sensitive.

What Happened

McGraw-Hill identified unauthorized access to a limited set of data hosted on a webpage within its Salesforce environment. The company attributes the incident to a broader misconfiguration within Salesforce's platform that has impacted multiple organizations. Upon detection, McGraw-Hill secured the affected webpages and engaged external cybersecurity experts to investigate the scope of the breach. The company is now working closely with Salesforce to harden protections and fully remediate the issue.

ShinyHunters, the extortion group behind the attack, posted McGraw-Hill to its leak site and set an April 14 deadline for ransom payment before releasing stolen data publicly. This tactic is consistent with ShinyHunters' established playbook of exfiltrating data from third-party platforms and leveraging public pressure to coerce payment.

What Was Taken

The two sides present sharply different accounts of what was compromised. McGraw-Hill states its investigation found no exposure of Social Security numbers, financial account information, or student data from its educational platforms. The company also asserts that its Salesforce accounts, customer databases, courseware, and internal systems were not accessed.

ShinyHunters, however, claims possession of 45 million Salesforce records containing PII. The true scope likely falls somewhere between these two positions. Organizations in the education sector should treat any data associated with Salesforce-hosted pages as potentially exposed until independent verification is available.

Why It Matters

McGraw-Hill is a major force in education publishing with $2.2 billion in annual revenue, serving K-12 schools, universities, and corporate learning environments. Even if the breach is confined to non-sensitive metadata, the sheer volume of records claimed by ShinyHunters raises concerns about downstream phishing, social engineering, and identity correlation attacks against students and educators.

More critically, this incident highlights a systemic risk. McGraw-Hill's own statement acknowledges the Salesforce misconfiguration "has impacted multiple organizations." This is not an isolated failure. It points to a class of vulnerability in how enterprises configure and expose data through SaaS platforms, where the shared responsibility model often leaves gaps that neither the vendor nor the customer adequately monitors.

The Attack Technique

The attack vector was a misconfiguration in Salesforce-hosted webpages, not a direct compromise of McGraw-Hill's internal infrastructure. Salesforce environments expose various web-facing components, including Experience Cloud sites, public-facing APIs, and guest user access controls, that can leak data when improperly configured. Overly permissive guest user profiles, exposed Aura endpoints, and misconfigured sharing rules are well-documented attack surfaces in Salesforce deployments.

ShinyHunters has a track record of targeting third-party platform misconfigurations rather than breaching primary infrastructure directly. Their 2026 campaign has already hit Rockstar Games and Hims & Hers through similar SaaS platform exploitation, indicating a systematic approach to harvesting data from misconfigured cloud environments at scale.

Threat Actor Profile: ShinyHunters

ShinyHunters is a prolific data extortion group that has been active since 2020 and has escalated operations significantly in 2026. The group specializes in exploiting third-party service misconfigurations, exposed cloud storage, and SaaS platform vulnerabilities. Rather than deploying ransomware, ShinyHunters focuses on data theft and extortion, threatening public leaks to pressure victims into payment. Confirmed 2026 breaches attributed to the group include Rockstar Games and Hims & Hers, both involving third-party platform exploitation.

What Organizations Should Do

• Audit Salesforce configurations immediately. Review guest user access, Experience Cloud site permissions, Aura endpoint exposure, and object-level sharing rules. Salesforce's own Health Check tool is a starting point, but manual review of SOQL query access and API exposure is essential.
• Enumerate all SaaS-hosted web pages. Many organizations lose track of public-facing pages created within SaaS platforms. Conduct an inventory of every externally accessible endpoint across Salesforce and similar platforms.
• Implement continuous SaaS security posture management (SSPM). Point-in-time audits are insufficient. Deploy tooling that monitors for configuration drift, permission changes, and anomalous data access patterns in real time.
• Assume breach for exposed records. If your organization uses Salesforce and has not recently audited configurations, operate under the assumption that similar misconfigurations may exist. Proactively notify affected parties and monitor for credential stuffing or phishing activity targeting exposed contacts.
• Monitor ShinyHunters' leak site and data markets. Even if your organization is not a named victim, data from the "broader issue" McGraw-Hill references may include records from other Salesforce customers. Threat intelligence teams should actively track for organizational data appearing in extortion channels.
• Review third-party risk contracts. Ensure SaaS vendor agreements include breach notification obligations, configuration audit rights, and shared responsibility documentation that clearly delineates who owns security for customer-facing components.

Sources: McGraw-Hill confirms data breach following extortion threat