McGraw Hill breach exposed 13.5 million accounts after Salesforce webpage misconfiguration
McGraw Hill confirmed that attackers accessed a limited set of internal data through a misconfigured Salesforce-hosted webpage, after the ShinyHunters extortion group claimed responsibility and threatened to publish stolen information unless a ransom was paid. The company said the incident was tied to a broader issue affecting multiple organizations using Salesforce-hosted environments and maintained that its Salesforce accounts, customer databases, courseware, internal systems, Social Security numbers, financial account information, and student data from its educational platforms were not impacted.
After the extortion deadline passed, data tied to 13.5 million McGraw Hill user accounts was reportedly leaked publicly, with Have I Been Pwned saying the dump contained more than 100GB of files, including unique email addresses and some names, physical addresses, and phone numbers. The leak contradicted earlier company statements that the exposed data was limited and non-sensitive, while ShinyHunters separately claimed to hold 45 million Salesforce records; McGraw Hill said it secured the affected webpages, brought in external cybersecurity experts, and is working with Salesforce to strengthen protections.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
ShinyHunters lists Instructure Holdings as a victim
A RedPacket Security post reported that ShinyHunters had identified Instructure Holdings, Inc., associated with Canva LMS and instructure.com, as a ransomware/extortion victim. This represents a separate victim disclosure from the previously documented McGraw-Hill incident.
ShinyHunters leaks McGraw-Hill data affecting 13.5 million accounts
After the extortion threat, ShinyHunters publicly leaked more than 100GB of data tied to 13.5 million McGraw-Hill user accounts. Have I Been Pwned reported the exposed files contained 13.5 million unique email addresses along with some names, physical addresses, and phone numbers.
McGraw-Hill confirms limited data breach tied to Salesforce-hosted webpage
McGraw-Hill confirmed that attackers accessed a limited set of internal data through a misconfigured webpage hosted on Salesforce. The company said its Salesforce accounts, customer databases, courseware, internal systems, financial data, Social Security numbers, and student platform data were not affected, and that it secured the webpage and engaged external cybersecurity experts.
ShinyHunters claims McGraw-Hill breach and issues extortion threat
The ShinyHunters extortion group listed McGraw-Hill on its leak site, claiming it had stolen 45 million Salesforce records containing personally identifiable information. The group threatened to publish the data unless a ransom was paid, with publication set for April 14.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
17th April 2026 Cyber Update: ShinyHunters' Massive Salesforce Supply Chain Attack Exposes McGraw Hill and Rockstar Games
cybernewscentre.com
Open sourceMcGraw-Hill Confirms Data Exposure, Hackers Claim 45M Salesforce Records Leaked
techrepublic.com
Open sourceMcGraw Hill Confirms Data Breach Exposing 13.5 Million Users' Personal Data
cybersecuritynews.com
Open sourceMcGraw Hill linked to 13.5M-record data leak • The Register
go.theregister.com
Open sourceData breach at edtech giant McGraw Hill affects 13.5 million accounts
bleepingcomputer.com
Open sourceMcGraw-Hill confirms data breach following extortion threat
bleepingcomputer.com
Open sourceMcGraw-Hill Salesforce Data Breach 2026: Analysis of ShinyHunters Extortion and Cloud Misconfiguration Risks - Rescana
rescana.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Hallmark Salesforce Breach Exposed 1.7 Million Customer Records
Hallmark disclosed a breach affecting about **1.7 million people** after attackers allegedly accessed customer data stored in its **Salesforce** environment and then attempted to extort the company. After the ransom deadline expired, the stolen information was reportedly published online. The incident has been attributed to **ShinyHunters**, and the exposed records included email addresses tied to Hallmark and the **Hallmark+** streaming service, along with names, phone numbers, physical addresses, and customer support ticket data. The breach has drawn attention because it mirrors other recent Salesforce-related compromises and raises fresh concerns about how organizations protect third-party hosted customer data. The stolen email addresses were added to **Have I Been Pwned**, which said **82%** of them had already appeared in earlier breaches, indicating substantial overlap with previously exposed accounts while still expanding the pool of affected Hallmark customers.
May 26, 2026
Infinite Campus Salesforce Breach Exposed 137,000 School Staff Accounts
Infinite Campus disclosed that attackers breached its Salesforce environment in March and exposed personal information linked to more than **137,000** school staff accounts. The company said the intrusion affected a system containing staff names and contact information, while stating there was no evidence its core customer databases were compromised. Infinite Campus is a major K-12 student information system provider used by more than 3,200 U.S. school districts and roughly 11 million students across 46 states. The **ShinyHunters** extortion group later claimed responsibility and published data it said was stolen in a "pay or leak" campaign. Analysis by **Have I Been Pwned** found about **137,100** affected accounts, with exposed data including names, email addresses, employers, job titles, phone numbers, physical addresses, usernames, and support tickets. Infinite Campus told affected parties that much of the exposed information consisted of school staff directory details that are often publicly available on school websites.
Jun 17, 2026
ShinyHunters Claims Cisco Breach Exposed Salesforce Records and Cloud Data
ShinyHunters has claimed responsibility for breaching Cisco and stealing more than **3 million Salesforce records** along with internal corporate data, **GitHub repositories**, and contents from **AWS S3 buckets**, then posted a **"FINAL WARNING"** on its leak site threatening to publish the data after April 3. Reports said the alleged haul may include information tied to Cisco customers, employees, and personnel from U.S. and foreign government agencies, while screenshots shared by the group purportedly showed access to Cisco-linked AWS infrastructure and multiple connected cloud accounts. The intrusion was linked in reporting to three alleged access paths involving **Salesforce CRM**, **Salesforce Aura/Experience Cloud**, and AWS environments, and to activity tracked as **`UNC6040`** and **`UNC6395`**. Threat intelligence cited in the coverage said the attackers have used **vishing** to trick employees into approving malicious Salesforce OAuth applications, then abused stolen tokens to bypass MFA and move deeper into cloud environments; recommended defenses included auditing connected OAuth apps, revoking suspicious tokens, tightening API access controls, and monitoring for unauthorized Salesforce Data Loader activity. Cisco had not publicly addressed the March 2026 extortion claim at the time of reporting.
May 2, 2026