Education publishing giant McGraw Hill has confirmed a data breach after threat group ShinyHunters exploited a misconfigured Salesforce environment, exfiltrating over 100GB of data containing approximately 13.5 million unique user records. The stolen data was publicly leaked after an extortion attempt against the company failed. Have I Been Pwned has indexed the dump, confirming the scale of the exposure.

What Happened

ShinyHunters identified and exploited a misconfiguration in a Salesforce-hosted webpage within McGraw Hill's environment. The misconfiguration allowed access to sensitive user data without proper authentication controls. After successfully exfiltrating the dataset, ShinyHunters attempted to extort McGraw Hill. When the company declined to pay, the threat actors released the full 100GB+ dataset publicly. McGraw Hill disclosed the breach in April 2026, characterizing the exposed data as "a limited set of data from a webpage hosted by Salesforce on its platform," a framing that critics have challenged given the volume and breadth of the leak.

What Was Taken

The leaked dataset includes approximately 13.5 million unique email addresses distributed across multiple files, along with:

Data completeness varied across records, with not all entries containing every field. This inconsistency suggests the breach pulled from multiple underlying data sources or that user profiles had varying levels of completeness. The affected population spans students, educators, and professionals connected to McGraw Hill's global educational platform.

Why It Matters

This breach sits at the intersection of several trends that defenders need to track. First, ShinyHunters continues to demonstrate a reliable playbook: find misconfigured cloud assets, extract data at scale, extort, then dump publicly when payment fails. Their target selection has shifted toward education and SaaS-heavy verticals where large user populations create high-value datasets.

Second, Salesforce misconfigurations are now a recurring and predictable attack surface. Organizations treat Salesforce as a managed platform and assume default security postures are sufficient. They are not. Exposed community pages, guest user over-permissioning, and improperly scoped API access have enabled multiple high-profile breaches across sectors in the past two years.

Third, the victim population is disproportionately vulnerable. Students and educators are high-value phishing targets with generally lower security awareness than corporate users, and their institutional email addresses often unlock access to broader academic infrastructure. Expect downstream credential stuffing, targeted phishing impersonating educational institutions, and social engineering campaigns leveraging the leaked personal details.

The Attack Technique

The attack exploited a Salesforce platform misconfiguration, specifically an improperly secured webpage that exposed user data without requiring authentication. This aligns with a well-documented class of Salesforce vulnerabilities involving guest user permissions, publicly accessible Aura endpoints, or misconfigured Experience Cloud sites. These misconfigurations allow unauthenticated users to query object data that should be restricted.

ShinyHunters likely enumerated the exposed surface, identified accessible data objects, and automated bulk extraction. The group has a well-established history of targeting cloud platforms and SaaS environments, having previously breached AT&T, Ticketmaster, and dozens of other organizations through similar cloud-first attack chains. Their operational pattern favors opportunistic discovery of misconfigurations over sophisticated exploit development.

What Organizations Should Do

Organizations running Salesforce environments should take immediate action:

Sources: McGraw Hill Confirms Data Breach Exposing 13.5 Million Users' Personal Data