McGraw-Hill Salesforce Data Breach 2026: Analysis of ShinyHunters Extortion and Cloud Misconfiguration Risks

On April 14, 2026, McGraw-Hill publicly confirmed a data breach following an extortion threat from the ShinyHunters group. The breach was traced to a misconfiguration in the company’s Salesforce environment, which allowed unauthorized access to internal data hosted on Salesforce web resources. According to McGraw-Hill, the breach did not impact its Salesforce accounts, customer databases, or internal systems, and the exposed data was described as limited and non-sensitive. However, threat actors claimed to possess up to 45 million records containing personally identifiable information (PII), a claim not fully corroborated by independent analysis. Previous incidents involving McGraw-Hill include a 2022 exposure of student data and a 2023 leak of user PII on a hacking forum. The incident highlights persistent risks associated with cloud misconfigurations in the education sector and underscores the importance of robust cloud security practices. All findings in this report are based on primary sources and technical evidence as cited.

The breach at McGraw-Hill was the result of a misconfiguration in its Salesforce cloud environment. Attackers exploited this misconfiguration to gain unauthorized access to data hosted on a Salesforce-powered webpage. This attack vector aligns with MITRE ATT&CK technique T1530 (Data from Cloud Storage), which describes adversaries accessing data from misconfigured cloud storage, and T1190 (Exploit Public-Facing Application), which involves exploiting vulnerabilities or misconfigurations in internet-facing applications. The exploitation did not involve malware or credential theft; rather, it relied on unauthorized web or API access to the misconfigured Salesforce resources.

McGraw-Hill’s official statement confirmed that the breach did not involve unauthorized access to its Salesforce accounts, customer databases, courseware, or internal systems. The company, with assistance from external cybersecurity experts, determined that the exposed information did not include Social Security numbers, financial account information, or student data from its educational platforms. The affected webpages were secured immediately after the unauthorized activity was detected, and McGraw-Hill is working with Salesforce to strengthen protections and address the issue.

The ShinyHunters group, known for high-profile data extortion campaigns, claimed responsibility for the breach and threatened to leak the stolen data unless a ransom was paid. ShinyHunters asserted possession of 45 million Salesforce records containing PII, but this claim is not fully substantiated by independent technical analysis. Previous research by vpnMentor and Bitdefender confirmed the exposure of full names, usernames, account IDs, email addresses, and potentially grades and physical addresses in earlier McGraw-Hill incidents, but did not verify the full extent of the current breach.

Technical analysis indicates that the attack was conducted using automated scripts or API queries to access the misconfigured Salesforce resources. No malware, command-and-control infrastructure, or credential theft was identified in connection with this incident. The attack method is consistent with other recent Salesforce data exposure incidents and aligns with ShinyHunters’ known tactics, techniques, and procedures (TTPs).

The education sector, and particularly vendors providing digital learning platforms, has been increasingly targeted by threat actors exploiting cloud misconfigurations. The exposure of student data and grades raises concerns regarding compliance with the Family Educational Rights and Privacy Act (FERPA) and other privacy regulations. The risk of phishing, identity theft, and fraud for affected students and users is elevated due to the nature of the exposed data.

Attribution to ShinyHunters is assessed with medium confidence, based on their public claim, historical pattern of similar attacks, and alignment with observed TTPs. However, there are no unique technical artifacts directly linking the group to this specific breach.

The breach affected a limited set of data hosted on a Salesforce-powered webpage operated by McGraw-Hill. The company has not specified particular product versions or platforms impacted, but confirmed that its core Salesforce accounts, customer databases, and internal systems were not compromised.

The incident timeline, based on primary sources, is as follows: In mid-June 2022, vpnMentor detected a data exposure involving McGraw-Hill’s cloud storage buckets. By late July 2022, McGraw-Hill removed the exposed files. On September 21, 2022, the company confirmed the removal to vpnMentor. On November 6, 2023, a database containing PII of 90,875 users was posted on a hacking forum. On April 14, 2026, ShinyHunters issued an extortion threat and McGraw-Hill publicly confirmed the breach.

The most recent incident is directly linked to a Salesforce misconfiguration, with the breach window occurring prior to April 14, 2026. The company reports that the affected webpages were secured immediately after detection of unauthorized activity.

The ShinyHunters group is a well-known data extortion actor active since at least 2020, responsible for numerous high-profile breaches across various sectors, including education, gaming, retail, and government. In this incident, ShinyHunters claimed responsibility for the McGraw-Hill breach and threatened to leak the stolen data unless a ransom was paid. The group’s tactics typically involve exploiting misconfigured cloud services and public-facing applications, exfiltrating large datasets, and using extortion to pressure victims.

Recent victims of ShinyHunters include Rockstar Games, Hims & Hers, the European Commission, Telus Digital, Wynn Resorts, Canada Goose, Match Group, Panera Bread, CarGurus, and Infinite Campus, another K-12 education platform. The group’s activities are characterized by rapid exploitation of cloud misconfigurations, large-scale data exfiltration, and public extortion threats.

In the McGraw-Hill incident, ShinyHunters claimed to possess 45 million Salesforce records containing PII. However, McGraw-Hill maintains that the compromised data is limited and non-sensitive, and independent analysis has not verified the full extent of the claimed data set. Previous incidents involving McGraw-Hill include a 2022 exposure of student data and a 2023 leak of user PII, both resulting from cloud misconfigurations.

The risk to affected individuals includes phishing, identity theft, and fraud, as the exposed data could be used in social engineering attacks. The incident underscores the persistent threat posed by data extortion groups targeting cloud misconfigurations in the education sector.

The following mitigation and workaround recommendations are prioritized by severity:

Critical: Immediate review and remediation of all cloud service configurations, with a focus on Salesforce and other platforms hosting sensitive data. Ensure that all web resources and storage buckets are properly secured and not publicly accessible unless explicitly required.

High: Conduct a comprehensive audit of access controls and permissions for all cloud-hosted data. Implement least privilege principles and regularly review user and application access to sensitive resources.

High: Enable and monitor detailed logging for all cloud services, including Salesforce, to detect unauthorized access attempts and anomalous activity. Establish automated alerts for suspicious behavior.

Medium: Perform regular penetration testing and vulnerability assessments of all public-facing applications and cloud environments to identify and remediate misconfigurations or weaknesses.

Medium: Provide security awareness training to staff, emphasizing the risks of cloud misconfigurations and the importance of secure data handling practices.

Medium: Review and update incident response plans to ensure rapid detection, containment, and remediation of cloud security incidents.

Low: Engage with third-party cybersecurity experts to conduct independent reviews of cloud security posture and recommend improvements.

Low: Communicate transparently with affected users regarding the nature of the breach, potential risks, and recommended actions to mitigate identity theft or fraud.

https://www.bleepingcomputer.com/news/security/mcgraw-hill-confirms-data-breach-following-extortion-threat/ (April 14, 2026)

https://www.highereddive.com/news/mcgraw-hill-exposed-student-data-grades-online-privacy/639150/ (December 19, 2022)

https://www.bitdefender.com/en-us/blog/hotforsecurity/pii-of-over-90-000-mcgraw-hill-users-allegedly-leaked-on-hacking-forum (November 15, 2023)

https://attack.mitre.org/techniques/T1530/

https://attack.mitre.org/techniques/T1190/

https://attack.mitre.org/campaigns/C0059/

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with their vendors and cloud service providers. Our platform enables continuous evaluation of cloud security configurations, detection of misconfigurations, and assessment of vendor security posture. For questions regarding this incident or to discuss how Rescana can support your organization’s risk management efforts, please contact us at ops@rescana.com.

• Active Exploitation Alert