The ShinyHunters extortion group has leaked data from 13.5 million McGraw Hill user accounts, stolen after breaching the company’s Salesforce environment earlier this month.
Founded in 1909, McGraw Hill is a leading global educational publisher with annual revenue of $2.2 billion, which provides education content and solutions for PreK–12, higher education, and professional learning.
The company confirmed ShinyHunters’ breach claims in a statement shared with BleepingComputer on Tuesday, saying the threat actors exploited a misconfiguration in the compromised Salesforce environment and that the incident didn’t affect its Salesforce accounts, courseware, customer databases, or internal systems.
“McGraw-Hill recently identified unauthorized access to a limited set of data from a webpage hosted by Salesforce on its platform. This activity appears to be part of a broader issue involving a misconfiguration within Salesforce’s environment that has impacted multiple organizations that work with Salesforce,” a McGraw-Hill spokesperson told BleepingComputer.
This came after ShinyHunters added the company to the gang’s dark web leak site, claiming to have stolen 45 million Salesforce records containing personally identifiable information (PII) and threatening to leak the allegedly stolen documents online unless a ransom is paid.
While McGraw Hill has yet to share how many individuals were affected by the resulting data breach, data breach notification service Have I Been Pwned says ShinyHunters has now leaked over 100GB of files containing data linked to 13.5 million accounts.
The exposed information includes names, physical addresses, phone numbers, and email addresses, which threat actors could use to target McGraw Hill customers in spear-phishing attacks.
“In April 2026, education company McGraw Hill confirmed a data breach following an extortion attempt. Attributed to a Salesforce misconfiguration, the company stated the incident exposed ‘a limited set of data from a webpage hosted by Salesforce on its platform’,” Have I Been Pwned said today.
“More than 100GB of data was later publicly distributed, containing 13.5M unique email addresses across multiple files, with additional fields such as name, physical address and phone number appearing inconsistently across some records.”
This week, ShinyHunters has also started leaking data stolen after breaching the Snowflake environment of American video game publisher Rockstar Games. The stolen data includes internal analytics used to monitor Rockstar’s online services and support tickets, as well as in-game revenue and purchase metrics, player behavior tracking, and game economy data for Red Dead Online and Grand Theft Auto Online.
In recent months, the extortion gang was also behind security breaches affecting the European Commission, Infinite Campus, Hims & Hers, Telus Digital, Wynn Resorts, CarGurus, Panera Bread, SoundCloud, and dating giant Match Group.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.
