Skip to main content
Cyber News & CTI Reports :: 2026-04-14 | McGraw-Hill confirms data breach following extortion threat
Contact Page | Privacy Policy

2026-04-14 | McGraw-Hill confirms data breach following extortion threat

1. AI Summary

McGraw-Hill confirms limited non-sensitive data exposure via misconfigured Salesforce page; ShinyHunters claims 45M PII records and threatens leak; investigation ongoing.

2. IOCs

IOC Type Value Description Relevant MITRE ATT&CK Techniques
Threatactor ShinyHunters APT group using Google Cloud credential scraping, MFA bypass via voice phishing, and trufflehog for lateral movement None

3. MITRE ATT&CK

Code Title
T1190 Exploit Public-Facing Application to access misconfigured Salesforce page
T1078.004 Use of valid cloud credentials (cloud accounts) to access data
T1567.001 Exfiltration Over Web Services

4. Targets

Type Value
Sector Education publishing

5. Article Details

6. Original text

Education company McGraw-Hill has confirmed in a statement to BleepingComputer that hackers exploited a Salesforce misconfiguration and accessed its internal data. The company assured that the breach did not affect its Salesforce accounts, customer databases, or internal systems, and that the amount of exposed data is limited and non-sensitive. “McGraw-Hill recently identified unauthorized access to a limited set of data from a webpage hosted by Salesforce on its platform. This activity appears to be part of a broader issue involving a misconfiguration within Salesforce’s environment that has impacted multiple organizations that work with Salesforce," a McGraw-Hill spokesperson told BleepingComputer. "Importantly, this did not involve unauthorized access to McGraw-Hill’s Salesforce accounts, customer databases, courseware, or internal systems,” the company representative added. McGraw-Hill further states that its investigation, with help from external cybersecurity experts, revealed that the exposed information does not contain Social Security numbers (SSNs), financial account information, or student data from its educational platforms. A global education company focused on learning content and platforms, McGraw-Hill offers textbooks, digital learning platforms, and K-12 school and university systems. The company is a major player in

Education publishing
, with an annual revenue of $2.2 billion. The statement about the cyberattack comes in response to the extortion group
ShinyHunters
announcing McGraw-Hill as a victim on its dark-web portal and threatening to leak stolen data by April 14 unless a ransom is paid. The notorious threat actor claims to hold 45 million Salesforce records containing personally identifiable information (PII), contradicting the company’s statement that the compromised data is not sensitive in nature.

McGraw-Hill on

ShinyHunters
' extortion portal Source: BleepingComputer McGraw-Hill also told BleepingComputer that the affected webpages were secured immediately after detecting the unauthorized activity, and that it is working closely with Salesforce to further strengthen protections and ensure that the issue is fully addressed. The
ShinyHunters
data extortion group has carried out several confirmed high-profile security breaches since the start of the year, including those against Rockstar Games , Hims & Hers , the European Commission , Telus Digital , Wynn Resorts , Canada Goose , Match Group , Panera Bread , and CarGurus . In March, the threat group also breached the American firm Infinite Campus , which also operates a K-12 student information system.