Educational publishing giant McGraw Hill has been added to the ShinyHunters extortion leak site after a Salesforce-linked misconfiguration exposed at least 13.5 million records. The publisher confirmed the incident to multiple outlets, while ShinyHunters claims the haul exceeds 40 million Salesforce records and over 100 GB of data. Have I Been Pwned has indexed the dataset, confirming the scale of the exposure.

What Happened

McGraw Hill confirmed that a "limited" Salesforce-hosted webpage was misconfigured, allowing unauthorized parties to harvest customer data. The publisher framed the incident as part of a "broader issue involving a misconfiguration within Salesforce's environment that has impacted multiple organizations," distancing itself from any direct compromise of internal systems.

ShinyHunters listed McGraw Hill on its dark web leak site this week alongside other recent victims, including Rockstar Games. The group accuses the publisher of refusing to pay an extortion demand before an April 14 deadline. McGraw Hill has not posted any acknowledgment on its own website and did not respond to The Register's inquiries.

What Was Taken

Have I Been Pwned reports that the leaked dataset contains:

The publicly circulating archive exceeds 100 GB. ShinyHunters claims its full possession totals over 40 million records, with some reporting suggesting figures as high as 45 million. McGraw Hill maintains that the breach "did not involve unauthorized access to McGraw Hill's Salesforce accounts, customer databases, courseware, or internal systems."

Why It Matters

McGraw Hill serves K-12 schools, higher education institutions, and professional learners worldwide, meaning the exposed dataset likely contains contact details for students, educators, and parents, populations that include minors and academic staff. Identity-rich datasets of this scale are prime fuel for targeted phishing, account takeover campaigns, and education-sector social engineering.

The incident also reinforces a worrying pattern: ShinyHunters continues to industrialize attacks against Salesforce-adjacent surfaces, repeatedly extracting massive datasets from organizations that believed their core CRM was secure. The attack surface is no longer just the platform itself, it is every public-facing page, integration, and OAuth token that touches it.

The Attack Technique

McGraw Hill attributes the leak to a misconfigured Salesforce-hosted page, a category of exposure that typically results from overly permissive guest-user access, public Experience Cloud sites, or improperly scoped sharing rules. These misconfigurations allow unauthenticated visitors to query objects they were never meant to reach.

ShinyHunters has historically leaned on this playbook rather than exploiting Salesforce platform vulnerabilities directly. Recent campaigns attributed to the group have abused stolen OAuth tokens, vishing-derived credentials, and over-permissioned third-party integrations to siphon data while appearing as legitimate API traffic. Defenders should treat the Salesforce ecosystem, not just the platform, as the threat surface.

What Organizations Should Do

  1. Audit Experience Cloud and public-facing Salesforce sites. Review guest user profiles, sharing rules, and object permissions to ensure unauthenticated visitors cannot query PII.
  2. Inventory connected apps and OAuth tokens. Revoke unused integrations, enforce IP restrictions, and require admin approval for new connected applications.
  3. Enable and monitor Salesforce Event Monitoring and Shield. Watch for anomalous bulk API queries, unusual report exports, and login activity from non-corporate geographies.
  4. Mandate phishing-resistant MFA on all Salesforce admin and integration accounts to blunt the credential theft and vishing tactics ShinyHunters favors.
  5. Run Salesforce Health Check and Optimizer regularly to surface drift in security settings and identify newly exposed components introduced by business users.
  6. Prepare an extortion playbook. Pre-decide ransom posture, legal escalation, and customer notification timelines so the organization is not negotiating policy under duress.

Sources: McGraw Hill linked to 13.5M-record data leak • The Register