McGraw Hill, the world’s largest education publishing company, has suffered a data breach. The ShinyHunters hacker group exploited a misconfiguration in Salesforce, stealing the names phone numbers addresses, and emails of 13.5 million users. This data is now publicly available on the internet. Learn how it happened, who is responsible and how you can protect yourself.
How a simple mistake put thousands of lives at risk
There are many things in the world that we assume are safe. School textbooks education companies, academic platforms trusting them seems natural to ordinary people. No one imagines that the company they purchased their college textbooks from would one day leak their name, address phone number and email address onto the internet.
But thats exactly what happened in April 2026. McGraw Hill a company thats have been operating since 1909 with annual revenues of $2.2 billion and creates books and digital platforms for education from PreK to university was subjected to a data breach. And it wasn’t some sophisticated hacking. A small configuration mistake exposed the data of 1.35 crore people to the world.
What is McGraw Hill and Why is It Important?
For those who are not familiar with McGraw Hill, this company is not just a publisher. It is a global education ecosystem. On its platforms, students read their digital textbooks, teachers manage their courses, and universities organize their academic content.
More than crores of students and educators across the world use this company’s digital platforms. When such a big company is breached it is not just the people of one country who are affected, students teachers parents all across the globe get affected.
And in this case, the 1.35 crore records that were leaked are directly related to the audience who were registered on this platform for reading. This data isn’t just a collection of email addresses and it also includes names, phone numbers and physical home addresses.
ShinyHunters A Hacker Group That Remains Active and Unstopped
The person responsible for this breach is a group known in the cybersecurity world as “ShinyHunters.” This isn’t just a name it’s a hacker organization that has emerged as a distinct category in the cybercrime world over the past few years.
This group doesn’t encrypt systems like traditional ransomware. Its job is to simply steal data and then threaten the company with pay or we’ll leak. If payment isn’t received and the data is publicly released. This model has made ShinyHunters very effective because whether the company pays or not, the affected users suffer losses.
This group stole 1.4 million users from Betterment, 10 million records from Match Group, 12.4 million records from CarGurus and 350GB of data from the European Commission, and a petabyte of data from TELUS Digital all in just 2026. And McGraw Hill became another name on this long list.
How a Salesforce Misconfiguration Caused Massive Damage
To understand this entire breach its important to understand Salesforce. Salesforce is a cloud-based CRM platform used by thousands of companies to manage their customer data. McGraw Hill also used Salesforce. Now, Salesforce has a feature called Experience Cloud.
It allows companies to create web portals for their customers. These portals have a guest user setting, which allows users to access the portal without logging in. Normally, these guest users should have very limited access. However, many companies don’t configure this setting properly and give guest users too many permissions, sometimes even to query the entire CRM data.
ShinyHunters exploited exactly this. In January 2026, they took AuraInspector a legitimate open-source security tool from Google-owned Mandiant and modified it and then converted it into an automated scanner that scanned thousands of Salesforce portals across the internet and extracted data from those with excessive guest permissions. And this wasn’t technically hacking it was literally a door that McGraw Hill had left open.
45M Claim vs 13.5M Data Exposed Real Story?
When ShinyHunters first added McGraw Hill to their leak site, they claimed to have 45 million Salesforce records. The company was given an ultimatum of April 14, 2026 to pay the ransom or the data would be publicly released. McGraw Hill refused to pay.
When the deadline came ShinyHunters dumped more than 100 GB of data online. Have I Been Pwned a trusted data breach monitoring service and analyzed this data and confirmed that it contained 1.35 crore unique email addresses.
Some records contained only emails, while some also contained names, phone numbers and addresses. Interestingly and ShinyHunters claimed 45 million but confirmed records showed 13.5 million. The company says that their main Salesforce account, courseware, customer databases and internal systems were not affected at all. The true story may lie between these two claims, but the data that was confirmed is also very bad news for people with over a crore.
Not Just McGraw Hill 300–400 Companies Affected
One thing that makes this breach even more serious is that McGraw Hill is not an isolated case. When ShinyHunters conducted a Salesforce scanning campaign using the modified AuraInspector tool, not just McGraw Hill according to estimation 300 to 400 organizations globally have come under the scanner of this campaign. Atlassian, Docusign, LinkedIn, Verizon, Thomson Reuters and all these big names have also been in the target list of ShinyHunters.
Google Threat Intelligence Group confirmed that there are more than 200 potentially affected Salesforce instances. And all this did not happen due to any zero-day vulnerability it happened only because these companies had not configured their Salesforce settings properly. Cybersecurity experts have a point ShinyHunters didn’t break into Salesforce it was a door that the companies themselves left open.
47% Old Leaks & Risks of Fresh Data
The analysis published by Have I Been Pwned revealed another important detail. Out of the 1.35 crore emails leaked, 47% emails were already present in the HIBP database from existing breaches. Meaning these email addresses had been leaked earlier in some other breach.
But the 53% which are new are appearing in the breached database for the first time. And these fresh email addresses are very valuable for the attackers.Because these people never knew that someone had their data. These people are not very cautious. A targeted phishing email which uses their real name, address and phone number that person will straightaway consider it to be genuine. This is the biggest long term danger of this breach.
People often wonder what’s the big deal if just an email address and phone number are leaked. But in the world of cybersecurity, this thinking is dangerous. When an attacker has someone’s name, home address, email address, and phone number, they can launch a very convincing targeted attack.
They can send an email that looks exactly like it’s from McGraw Hill and using the correct name and leading to a malicious link or fake login page. This is called spear phishing. Its not simple generic spam but a completely personalized fraud. If you get on the phone and say I’m calling McGraw Hill support, your account is being suspended and the name and address are all correct, the person trusts you. And if this data is combined with data from another breach, such as a password leak it can lead to credential stuffing attacks where the attacker tries to log in to McGraw Hill or another site.
McGraw Hill’s Statement and Ongoing Concerns
McGraw Hill official statement was that the breach was limited to a single Salesforce-hosted webpage the company’s core systems, Salesforce accounts, courseware, or internal databases were not affected at all. The company also stated that this is not just a McGraw Hill issue but a broader Salesforce environment issue affecting multiple organizations.
When the breach was discovered, the affected webpages were immediately secured and an investigation began. This is all well and good, but cybersecurity experts are not satisfied with this statement. An analyst simply said It’s cold comfort to millions of people who now have their real names and addresses out there. The company has not yet disclosed exactly how many and which users were affected, and what type of information was in exactly which records. This lack of transparency is further troubling the affected users.
What Should You Do
If you have ever registered on any McGraw Hill platform, such as Connect, ALEKS or any McGraw Hill digital product, the first thing you should do is check your email address at haveibeenpwned.com. This is a completely free service that will let you know if your email has been breached.
If so change your McGraw Hill account password and change it anywhere else you have used the same password. Enable multi-factor authentication if available. In the future and react very carefully to any email from McGraw Hill, even if it appears genuine. Update your spam filter. And if you receive a phone call in which your name and personal details are mentioned, do not take any action without verifying.
Conclusion
The biggest lesson in this whole situation is that cloud security is a shared responsibility. Salesforce said this was not a flaw in their platform and they are technically right. But when you use a platform and donot configure its settings properly and the responsibility lies with you. McGraw Hill didn’t properly restrict Salesforce guest user access. One small setting put the data of 13.5 million people at risk.
And its not just McGraw Hill 300-400 companies fell victim to this same mistake in this one campaign. Adopting technology is important but configuring it securely is even more important. No matter how big a company is if the settings of cloud platforms are not managed properly then the result will be the same and the loss will always be borne by the end users, not the company.
