McGraw Hill Data Breach: 13.5M Accounts Exposed

McGraw Hill Data Breach Exposes 13.5 Million Users via Salesforce Misconfiguration

The McGraw Hill data breach is now confirmed. ShinyHunters, the extortion group behind a string of high-profile attacks in 2025 and 2026, has leaked over 100GB of files containing data from 13.5 million user accounts. The stolen records were pulled from McGraw Hill's Salesforce environment after threat actors exploited a misconfiguration in that platform. Names, physical addresses, phone numbers, and email addresses are all in the dump.

McGraw Hill acknowledged the incident in a statement to BleepingComputer, describing it as "unauthorized access to a limited set of data from a webpage hosted by Salesforce on its platform." The company also noted this appears to be part of a broader Salesforce misconfiguration issue hitting multiple organizations. That framing is notable. It suggests the problem isn't unique to McGraw Hill, and other companies using Salesforce may be sitting on undisclosed exposure right now.

Have I Been Pwned confirmed the breach independently, listing 13.5 million unique email addresses across multiple leaked files. Additional PII fields appear inconsistently across records, meaning not every affected account has every field exposed. But even partial records are dangerous when they include email plus physical address.

How the Salesforce Misconfiguration Was Exploited

Salesforce misconfigurations are a known attack surface. Public-facing Salesforce Experience Cloud sites, guest user permissions, and improperly scoped objects have been abused in past breaches. The exact misconfiguration in McGraw Hill's case hasn't been fully detailed, but the pattern is familiar: a data-serving endpoint is accessible without proper authentication or authorization checks, allowing bulk record enumeration or export.

ShinyHunters initially claimed 45 million records. McGraw Hill disputes that scale and says core systems, including courseware, customer databases, and internal infrastructure, were not affected. What's undisputed is that 13.5 million accounts worth of real PII is now publicly downloadable.

What Developers and Security Teams Should Know

If your application relies on Salesforce as a backend or CRM, this breach is a direct signal to audit your configuration. Salesforce's guest user model, sharing rules, and object-level permissions are easy to misconfigure, especially in organizations that have grown their Salesforce footprint over years without a dedicated review process.

The exposed data (names, emails, addresses, phone numbers) is exactly what fuels spear-phishing and social engineering. McGraw Hill's users include students, educators, and institutional customers. Many of them are now at elevated risk from targeted attacks that reference their account details to appear legitimate.

ShinyHunters is also actively leaking data from a Rockstar Games breach tied to a Snowflake environment compromise, and has hit the European Commission, SoundCloud, Match Group, Panera Bread, and others in recent months. The group is systematic and fast-moving. Organizations using cloud platforms with complex permission models are the consistent target.

How to Reduce Your Exposure to Similar Attacks

Start with your Salesforce configuration if you use it. Run the Salesforce Security Health Check and review guest user access, public site settings, and any APIs that expose object data without authentication. Disable guest access to any object or field that doesn't require it.

More broadly, apply these steps across your infrastructure:

• Audit third-party platform configurations on a regular schedule, not just after an incident.
• Treat CRM and marketing platform data stores with the same rigor as your primary databases.
• Implement data minimization. Don't store PII in Salesforce fields that don't need it.
• Monitor for unusual bulk data access or export patterns using SIEM alerts or platform-native activity logs.
• Run automated DAST scans against your externally facing web applications to catch exposed endpoints before attackers do.

You should also check whether your organization's domains appear in the Have I Been Pwned breach dataset for this incident and notify affected users promptly.

Is McGraw Hill notifying affected users? McGraw Hill has confirmed the breach but has not publicly detailed its notification timeline. If you had an account with them, check your email and monitor for phishing attempts referencing your personal details.

Could my organization be affected by the same Salesforce misconfiguration? Possibly. McGraw Hill described this as part of a broader Salesforce platform issue affecting multiple organizations. Any company using Salesforce Experience Cloud or public-facing Salesforce sites should audit guest user permissions and object sharing rules immediately.

What data was actually leaked in this breach? Have I Been Pwned confirmed 13.5 million unique email addresses, with names, physical addresses, and phone numbers appearing inconsistently across records. Financial data and login credentials do not appear to be part of the exposed dataset.

Scan your web application for exposed endpoints and misconfigurations before attackers find them first at VibeWShield.