McGraw-Hill: ShinyHunters Breach Exposes Up to 45 Million Salesforce Records

McGraw-Hill, one of the world's largest education publishers, confirmed on April 14, 2026, that threat actor group ShinyHunters gained unauthorized access to data hosted on the company's Salesforce platform. The group claims to hold 45 million CRM records containing personally identifiable information and has threatened to leak the data unless ransom demands are met.

What Happened

ShinyHunters publicly claimed responsibility for the breach after exfiltrating records from McGraw-Hill's Salesforce environment. The attack exploited a misconfiguration in Salesforce that left a webpage accessible to unauthorized users, not a zero-day or novel exploit. McGraw-Hill stated that the issue was "part of a broader issue involving a misconfiguration within Salesforce's environment that has impacted multiple organizations," indicating this was not an isolated failure but a systemic platform configuration weakness. The company says it immediately secured the affected webpages after detection.

What Was Taken

ShinyHunters claims to hold 45 million Salesforce records containing PII from McGraw-Hill's CRM. McGraw-Hill disputes the scope, stating the exposed data is limited and does not include Social Security numbers, financial account details, or student platform credentials. The precise contents remain contested, but CRM records in the education sector typically contain names, email addresses, phone numbers, institutional affiliations, purchase histories, and engagement metadata. Given McGraw-Hill's global footprint across K-12, higher education, and professional markets, the affected population could span students, educators, administrators, and institutional procurement contacts.

Why It Matters

This breach carries weight beyond the immediate data exposure for three reasons. First, it reinforces that SaaS platform misconfigurations remain one of the most reliable and scalable attack vectors available to threat actors. ShinyHunters did not need to compromise McGraw-Hill's internal network. They exploited the gap between a cloud provider's default configuration and the customer's assumption of security. Second, education-sector PII carries long-term value. Student records are useful for identity fraud, phishing, and social engineering campaigns that can persist for years. Third, McGraw-Hill's own acknowledgment that multiple organizations were affected by the same Salesforce misconfiguration signals a broader wave of exposures that defenders across industries should be actively investigating.

The Attack Technique

ShinyHunters followed its established playbook: target a third-party SaaS platform rather than the victim's core infrastructure, exploit a configuration weakness to gain access, exfiltrate data at scale, then extort the victim with the threat of public release. The specific vector was a misconfigured Salesforce webpage that permitted unauthorized access. Salesforce misconfigurations are a well-documented attack surface. Common issues include overly permissive guest user access, improperly scoped API permissions, exposed Aura endpoints, and Communities or Experience Cloud sites with lax object-level security. This is consistent with ShinyHunters' prior operations against Snowflake customers via Anodot, Hims & Hers via Zendesk, and the European Commission's AWS infrastructure. The group consistently identifies the weakest link in the SaaS supply chain and exploits it.

ShinyHunters: Threat Actor Profile

ShinyHunters has operated since at least 2020 and has been responsible for some of the highest-profile data breaches in recent years. The group specializes in targeting SaaS and cloud platforms rather than direct network intrusion. Notable operations include the compromise of Snowflake customer data through the Anodot analytics platform, the Hims & Hers health data breach via Zendesk, attacks against Rockstar Games, and infiltration of the European Commission's AWS infrastructure. Their operational model is consistent: identify third-party platform weaknesses, extract data in bulk, and monetize through extortion or dark web sales. The McGraw-Hill breach fits this pattern precisely and indicates the group continues to scale its operations with no signs of slowing.

What Organizations Should Do

Audit your Salesforce configuration immediately. Review guest user permissions, Experience Cloud site access controls, object-level security, and API exposure. Do not assume defaults are secure.
Inventory all SaaS platform attack surfaces. Map every external-facing endpoint across your CRM, helpdesk, analytics, and cloud platforms. If ShinyHunters is exploiting Salesforce misconfigurations across multiple organizations, your instance may already be exposed.
Enable and monitor Salesforce Event Monitoring. Track login events, API calls, data exports, and permission changes. Bulk data access from unfamiliar sessions should trigger immediate alerts.
Restrict API and guest access to the minimum required scope. Apply the principle of least privilege to every Salesforce profile, permission set, and connected app. Disable guest user access entirely if it is not operationally necessary.
Prepare for extortion scenarios. Ensure your incident response plan covers data extortion specifically, including legal, communications, and law enforcement coordination. ShinyHunters will follow through on leak threats.
Notify potentially affected individuals proactively. If your organization uses McGraw-Hill products or shares data with their platforms, assess your own exposure and communicate transparently with stakeholders.

Sources: McGraw-Hill Breach: ShinyHunters Claims 45 Million Records