On April 14, 2026, education publishing giant McGraw-Hill confirmed that threat actors exploited a misconfiguration in its Salesforce-hosted environment, resulting in unauthorized access to internal data. The extortion group ShinyHunters claimed responsibility, alleging it holds approximately 45 million Salesforce records containing personally identifiable information and threatening to leak the data if a ransom was not paid.

What Happened

ShinyHunters targeted a webpage hosted by Salesforce on McGraw-Hill's platform, exploiting what the company describes as "a broader issue involving a misconfiguration within Salesforce's environment that has impacted multiple organizations." The threat actor listed McGraw-Hill on its dark-web extortion portal and set an April 14 deadline for ransom payment before public release of the stolen dataset. McGraw-Hill engaged external cybersecurity experts and says the affected webpages were secured immediately after detection.

What Was Taken

The two sides tell very different stories about the scope. McGraw-Hill states that the exposed data is "limited and non-sensitive," explicitly ruling out Social Security numbers, financial account information, student educational data, customer databases, courseware, and internal system access. ShinyHunters, however, claims to possess 45 million Salesforce records containing PII. Given ShinyHunters' track record of verifiable breaches in 2026 alone, including Rockstar Games and Hims & Hers, defenders should treat the larger claim as plausible until independent verification is available.

Why It Matters

This incident highlights a systemic risk in SaaS platform configurations. McGraw-Hill itself acknowledged that the Salesforce misconfiguration affected "multiple organizations," signaling that this is not an isolated failure but a pattern. For an education company serving K-12 schools, universities, and millions of learners globally, even "non-sensitive" metadata at scale can be combined with other datasets for identity resolution, phishing targeting, and social engineering. The $2.2 billion-revenue company's exposure also underscores that high-value targets are only as secure as their third-party platform configurations.

The Attack Technique

ShinyHunters exploited a Salesforce platform misconfiguration, a well-documented attack surface. Common vectors include: exposed Salesforce Communities/Experience Cloud guest user permissions, misconfigured Aura API endpoints leaking object data, overly permissive sharing rules on Salesforce Sites, and SOQL injection through improperly secured custom APIs. The "broader issue" language from McGraw-Hill suggests a default or inherited configuration flaw within Salesforce's environment rather than a bespoke application vulnerability, which would explain multiple affected organizations.

ShinyHunters: Threat Actor Profile

ShinyHunters has operated since at least 2020 and has evolved from a data-theft-and-dump operation into a structured extortion group. In 2026 alone, the group has claimed breaches against Rockstar Games and Hims & Hers (via Zendesk), demonstrating a clear pattern of targeting SaaS platforms and third-party integrations rather than core infrastructure. Their playbook is consistent: exploit misconfigurations in widely-used platforms, exfiltrate at scale, and leverage extortion deadlines to pressure payment.

What Organizations Should Do

Sources: McGraw-Hill confirms data breach following extortion threat