McGraw-Hill, one of the world's largest education publishers, confirmed on April 14, 2026, that threat actor group ShinyHunters gained unauthorized access to data hosted on the company's Salesforce platform. The group claims to hold 45 million records containing personally identifiable information and has threatened to leak the data unless ransom demands are met. The breach underscores a persistent and systemic risk: SaaS platform misconfigurations continue to hand attackers access to massive datasets without requiring a single exploit.

What Happened

ShinyHunters publicly claimed responsibility for the breach after extracting records from McGraw-Hill's Salesforce environment. The group followed its well-established playbook: compromise a third-party platform, exfiltrate data at scale, and pressure the victim with the threat of public disclosure.

McGraw-Hill acknowledged the unauthorized access but pushed back on ShinyHunters' characterization of the stolen data, stating the exposure was limited in scope. The company says it immediately secured the affected webpages after detection. However, the gap between ShinyHunters' claimed 45 million records and McGraw-Hill's assertion of limited impact leaves significant uncertainty for anyone whose data may reside in the company's Salesforce instance.

What Was Taken

ShinyHunters claims the haul includes 45 million Salesforce records containing personally identifiable information. McGraw-Hill has stated that Social Security numbers, financial account details, and student platform data were not among the exposed records.

Given McGraw-Hill's position in the education sector, the Salesforce environment likely contained contact information for educators, institutional buyers, administrators, and potentially students or parents who interacted with McGraw-Hill's sales and support channels. Even without financial data, names, email addresses, phone numbers, institutional affiliations, and purchase histories represent a rich dataset for phishing, social engineering, and credential-stuffing operations targeting the education sector.

Why It Matters

This breach carries weight beyond its raw record count for three reasons.

First, it is the latest in a string of high-profile ShinyHunters operations that target SaaS platforms rather than victims directly. The group previously exploited Snowflake customers through the Anodot analytics platform, hit Hims & Hers through Zendesk, and compromised European Commission infrastructure on AWS. Each attack follows the same logic: the SaaS provider becomes the attack surface, and the customer inherits the risk.

Second, McGraw-Hill itself described the root cause as "part of a broader issue involving a misconfiguration within Salesforce's environment that has impacted multiple organizations." This is an admission that the vulnerability is not unique to McGraw-Hill. Other organizations running Salesforce with similar configurations may already be exposed or compromised without knowing it.

Third, the education sector holds data on minors, families, and institutions that carries long-term value to threat actors. Compromised student or educator records can fuel targeted phishing for years and are difficult to remediate once exposed.

The Attack Technique

The intrusion did not rely on a zero-day exploit or sophisticated tooling. McGraw-Hill attributed the breach to a misconfiguration in its Salesforce environment that left a webpage accessible to unauthorized users.

Salesforce misconfiguration is a well-documented and recurring attack surface. Common issues include overly permissive guest user access, improperly configured sharing rules, exposed Aura and Lightning API endpoints, and Communities or Experience Cloud sites that inadvertently grant unauthenticated users access to internal objects. Security researchers have flagged these risks repeatedly, and multiple organizations across industries have suffered data exposures from identical root causes.

ShinyHunters has demonstrated a pattern of identifying these configuration gaps across SaaS platforms and exploiting them at scale. The group operates with the understanding that many organizations treat SaaS deployments as inherently secure and fail to audit the access controls their configurations actually enforce.

ShinyHunters: Threat Actor Profile

ShinyHunters has operated as one of the most prolific data extortion groups over the past two years. Their targeting is platform-centric rather than victim-centric: they identify vulnerable SaaS configurations, extract data from multiple customers of that platform, and monetize through extortion and data sales.

Known operations include breaches of Snowflake customer environments via Anodot, healthcare data theft from Hims & Hers through Zendesk, attacks on Rockstar Games, and the compromise of European Commission AWS infrastructure. The McGraw-Hill breach fits this operational pattern precisely and suggests the group continues to actively scan for misconfigured SaaS deployments across sectors.

What Organizations Should Do

Organizations running Salesforce or any customer-facing SaaS platform should take immediate action:

The consistent lesson from ShinyHunters' operations is that SaaS platforms shift capability to customers but do not shift security by default. The responsibility for configuration lives with the deploying organization, and that gap between assumption and reality is exactly where threat actors operate.

Sources: McGraw-Hill Breach: ShinyHunters Claims 45 Million Records