Educational publishing giant McGraw-Hill has been added to the growing list of victims tied to the ShinyHunters cybercriminal collective, with dark web monitoring confirming the public release of approximately 100 GB of data exfiltrated from the company's Salesforce-hosted environment. The dataset, dumped on April 15, 2026 after McGraw-Hill reportedly refused an extortion demand, contains over 45 million records and roughly 13.5 million unique email addresses tied to students, educators, and partners.

What Happened

According to dark web intelligence shared by Brinztech, ShinyHunters claimed responsibility for compromising McGraw-Hill's Salesforce-hosted environment on April 11, 2026. The group followed its now-familiar playbook: exfiltrate large volumes of customer data from a cloud CRM tenant, demand payment to suppress publication, and dump the full dataset publicly when the victim declines to negotiate. McGraw-Hill chose not to pay, and four days after the intrusion the threat actors released the complete archive on monitored hacker forums.

What Was Taken

The leaked archive weighs in at roughly 100 GB and contains more than 45 million records. The exposed Personally Identifiable Information reportedly includes:

• Full names
• Physical addresses
• Email addresses (approximately 13.5 million unique)
• Phone numbers

While no financial credentials or passwords have been called out in the leak description, the combination of name, address, phone, and email at this scale is more than sufficient fuel for identity fraud, account takeover via password reset abuse, and highly targeted phishing against the education sector.

Why It Matters

McGraw-Hill is one of the largest educational publishers in the world, and its customer base spans K-12 districts, universities, individual instructors, and corporate training partners across multiple regions. A 13.5 million-address email corpus tied to verified educational identities is a uniquely valuable asset for adversaries running back-to-school themed phishing, fake LMS login pages, financial-aid lures, or credential-stuffing campaigns against student information systems. The breach also continues a clear 2026 pattern in which Salesforce tenants, rather than on-prem infrastructure, are the primary entry point for ShinyHunters-attributed incidents.

The Attack Technique

Brinztech attributes the intrusion to exploitation of vulnerabilities within McGraw-Hill's Salesforce environment. Recent ShinyHunters campaigns against Salesforce tenants have consistently leaned on social-engineering of support and sales staff, abuse of OAuth-connected applications, and theft of long-lived API tokens or session credentials, rather than on a flaw in the Salesforce platform itself. Once inside the tenant, the attackers issue large bulk API queries against standard objects such as Contact and Lead to stage data for exfiltration, then move the archive off-platform before defenders can spot the volume anomaly. The hard pivot from quiet theft on April 11 to public dump on April 15 mirrors the group's standard four-to-seven-day extortion window.

What Organizations Should Do

1. Audit every connected app and API integration in your Salesforce org. Revoke unused OAuth grants, rotate refresh tokens, and require admin approval for new connected app installs.
2. Enforce phishing-resistant MFA (FIDO2 or platform authenticators) for all Salesforce users, including service accounts and contractors, and disable SMS as a fallback factor.
3. Tighten data-access policies inside Salesforce: apply least-privilege profiles, enable Salesforce Shield Event Monitoring, and alert on bulk API queries that return abnormally large record counts.
4. Run tabletop exercises for the specific scenario of a CRM-tenant compromise, including legal, comms, and customer-notification workflows for an extortion-then-dump timeline measured in days, not weeks.
5. Treat all third-party SaaS holding customer PII as in-scope for your vendor risk program, with contractual rights to logs, breach notification SLAs, and independent assurance reports.
6. For organizations doing business with McGraw-Hill or its imprints, brief staff and end users to expect a wave of education-themed phishing using accurate name, address, and phone data over the coming weeks.

Sources: Alleged Database Leak of McGraw-Hill via Salesforce Compromise