Education publishing giant McGraw-Hill has confirmed unauthorized access to data hosted on its Salesforce platform after the ShinyHunters extortion group listed the company on its dark-web portal and threatened to leak stolen records. The threat actor claims possession of 45 million Salesforce records containing personally identifiable information. McGraw-Hill disputes the severity, stating the exposed data is limited and non-sensitive.

What Happened

On April 14, 2026, ShinyHunters posted McGraw-Hill to its extortion site with a deadline to pay ransom or face a public data leak. McGraw-Hill responded by confirming to BleepingComputer that attackers exploited a misconfiguration within a Salesforce-hosted webpage to gain unauthorized access. The company characterized this as part of a broader Salesforce environment issue affecting multiple organizations, not an isolated compromise of McGraw-Hill's own security controls. External cybersecurity experts have been engaged to support the ongoing investigation.

What Was Taken

The two sides tell sharply different stories about what was accessed. ShinyHunters claims to hold 45 million Salesforce records containing PII. McGraw-Hill counters that the breach touched only a "limited set of data" from a Salesforce-hosted webpage and did not include Social Security numbers, financial account information, or student data from its educational platforms. Critically, the company states that its core Salesforce accounts, customer databases, courseware, and internal systems were not accessed. Until samples surface publicly or third-party analysis is completed, the true scope remains contested.

Why It Matters

McGraw-Hill serves millions of students across K-12 and higher education, generating $2.2 billion in annual revenue. Even if the exposed data turns out to be limited in sensitivity, the sheer potential scale of 45 million records tied to an education company makes this incident significant. Education-sector data carries long-tail risk: student records, institutional contact details, and educator information can fuel phishing, identity fraud, and social engineering campaigns for years. This breach also underscores a growing pattern where threat actors target SaaS platform misconfigurations rather than breaching an organization's perimeter directly.

The Attack Technique

The intrusion vector was a misconfiguration in a Salesforce-hosted webpage, not a direct compromise of McGraw-Hill's internal infrastructure. Salesforce misconfigurations, particularly around Communities (now Experience Cloud) sites, guest user permissions, and exposed Aura API endpoints, have been a recurring attack surface across industries. Attackers can exploit overly permissive object-level access controls to extract records at scale without authenticating. McGraw-Hill's own statement acknowledges this was "part of a broader issue" affecting multiple Salesforce customers, suggesting a systemic configuration weakness rather than a targeted zero-day.

ShinyHunters: Threat Actor Profile

ShinyHunters is one of the most prolific data extortion groups currently active. The collective has been responsible for a string of confirmed high-profile breaches in 2026 alone, including incidents at Rockstar Games and Hims & Hers (the latter via a Zendesk misconfiguration). Their operational playbook favors exploiting third-party SaaS platforms and cloud misconfigurations over traditional ransomware deployment. They monetize through direct extortion, threatening public leaks on their dark-web portal, and through secondary sales on underground marketplaces. Their consistent targeting of SaaS-hosted data signals a deliberate strategy: go after the supply chain, not the front door.

What Organizations Should Do

Sources: McGraw-Hill confirms data breach following extortion threat