Fraud group ShinyHunters leaked information on 13.5 million McGraw Hill user accounts, stolen after breaching the company’s Salesforce environment earlier this month.
Founded in 1909, McGraw Hill is a leading global educational publisher with annual revenues of $2.2 billion, providing educational content and solutions for PreK–12, higher education, and professional learning.
The company confirmed the alleged ShinyHunters breach in a statement shared with BleepingComputer on Tuesday, saying that threat actors exploited a vulnerability in a Salesforce vulnerability and that the incident did not affect its Salesforce accounts, courseware, customer databases, or internal systems.
“McGraw-Hill recently identified unauthorized access to a limited set of data on a web page hosted by Salesforce on its platform. This activity appears to be part of a broader issue involving poor configuration of the Salesforce environment that has impacted many organizations that work with Salesforce,” a McGraw-Hill spokesperson told BleepingComputer.
This came after ShinyHunters added the company to a blacklist of hacking gangs, claiming to have stolen 45 million Salesforce records containing personally identifiable information (PII) and threatening to leak the allegedly stolen documents online without a ransom being paid.
While McGraw Hill has yet to share how many people were affected by the data breach, data breach notification service Have I Been Pwned says ShinyHunters has now leaked more than 100GB of files containing data linked to 13.5 million accounts.
The disclosed information includes names, residential addresses, phone numbers, and email addresses, which threat actors may use to target McGraw Hill customers in phishing attacks.
“In April 2026, education firm McGraw Hill confirmed a data breach following a phishing attempt. Caused by poor Salesforce security, the company said the incident exposed a ‘limited set of data from a web page hosted by Salesforce on its premises’,” said Have I Been Pwned today.
“More than 100GB of data was later released publicly, containing 13.5M unique email addresses across multiple files, with additional fields such as name, physical address and phone number appearing inconsistently in other records.”
This week, ShinyHunters have once again started leaking stolen data after breaching the Snowflake ecosystem of American video game publisher Rockstar Games. The stolen data includes internal statistics used to monitor Rockstar’s online services and support tickets, as well as in-game revenue metrics and purchases, player behavior tracking, and in-game economic data for Red Dead Online and Grand Theft Auto Online.
In recent months, the gang has also caused security breaches affecting the European Commission, Infinite Campus, Hims & Hers, Telus Digital, Wynn Resorts, CarGurus, Panera Bread, SoundCloud, and the dating giant Match.
Automatic logging proves that the path exists. BAS proves that your controls are stopping you. Many teams run without each other.
This white paper outlines six areas of validation, indicates where coverage ends, and provides clinicians with three diagnostic questions for any screening tool.
