Textbook publisher McGraw Hill has been added to the ShinyHunters extortion leak site after a misconfigured Salesforce-hosted environment exposed roughly 13.5 million user records, totaling more than 100GB of stolen data. The publisher confirmed the incident in statements to multiple outlets, attributing it to a "broader issue involving a misconfiguration within Salesforce's environment that has impacted multiple organizations." Have I Been Pwned has already ingested the dataset.

What Happened

ShinyHunters listed McGraw Hill on its dark web leak site this week alongside other recent victims, including Rockstar Games. The crew claims to hold "over 40M Salesforce records containing PII data" across its current campaign and accused the publisher of refusing to pay a ransom before an April 14, 2026 deadline. After the deadline lapsed, the actor published the full 100GB cache.

McGraw Hill has not posted any public notice on its own website or corporate channels but provided written statements to outlets including BleepingComputer. The company described the source of the leak as a "limited" Salesforce-hosted webpage and insisted the intrusion "did not involve unauthorized access to McGraw Hill's Salesforce accounts, customer databases, courseware, or internal systems." Salesforce itself has declined to comment.

What Was Taken

According to Have I Been Pwned and the leak listing, the exposed dataset includes:

• 13.5 million unique email addresses
• Full names
• Phone numbers
• Physical addresses (partial coverage)
• Approximately 100GB of records in total

The data is overwhelmingly customer and user PII rather than payment, credential, or courseware material. While McGraw Hill emphasizes that core systems were not touched, the volume and identifiability of the leaked records make the dataset highly useful for downstream phishing, credential stuffing pretexts, and education-sector social engineering.

Why It Matters

McGraw Hill is one of the largest education publishers globally, and its user base spans students, educators, and institutional administrators across K-12, higher education, and professional training. A leak of this size puts a heavily targeted demographic, students at the start of their digital lives, into the hands of an extortion crew with a track record of monetizing such datasets through resale and follow-on intrusions.

Strategically, this incident continues a 2025-2026 pattern in which ShinyHunters and adjacent crews have shifted away from breaching SaaS platforms directly and toward exploiting customer-side misconfiguration and credential abuse. The "blame the platform" framing offered by McGraw Hill is increasingly common but rarely captures the operational reality: the customer typically owns the misconfigured surface.

The Attack Technique

McGraw Hill has not published technical detail, but the public framing points to a customer-side Salesforce exposure rather than a flaw in Salesforce itself. Most Salesforce-linked compromises in this campaign cluster have stemmed from one of three vectors: stolen or phished credentials reused against Salesforce tenants, abuse of OAuth-connected third-party applications with broad data scopes, or over-permissioned integrations and public-facing Experience Cloud or Site.com pages that allow unauthenticated record enumeration.

The reference to a "limited Salesforce-hosted webpage" strongly suggests an Experience Cloud or community-style page misconfigured to allow guest user access to backend objects, a pattern ShinyHunters has industrialized over the past year. Once inside, the actor typically uses Data Loader or Bulk API queries to exfiltrate quietly, which would be consistent with the 100GB volume observed here.

What Organizations Should Do

1. Audit all Salesforce Experience Cloud and community sites for guest user permissions, with particular attention to object-level read access on Contact, Lead, Account, and custom PII objects.
2. Inventory connected OAuth apps in your Salesforce tenant and revoke any that are unused, over-scoped, or unattributed; rotate refresh tokens for the rest.
3. Enforce IP allowlisting, MFA, and conditional access for all Salesforce admin and integration accounts, including service accounts used by ETL or marketing tooling.
4. Enable and monitor Salesforce Event Monitoring for Bulk API and Data Loader events, alerting on unusual record volumes per user or per session.
5. If your organization is a McGraw Hill customer, partner, or shares user populations with the platform, prepare for a wave of education-themed phishing using the leaked names, emails, and phone numbers as pretext.
6. Review your own breach disclosure posture: McGraw Hill's silence on its own channels while talking to press is generating reputational damage that a coordinated public statement would have contained.

Sources: McGraw Hill linked to 13.5M-record data leak • The Register