Textbook titan McGraw Hill on ransomware crew's reading list after 13.5M records exposed

April 16, 2026
aisecuritybusinessgaming
A pile of open books on a table, ideal for study and research themes.
Photo by Lum3n on Pexels

What happened

Textbook giant McGraw Hill has allegedly landed on the ShinyHunters ransomware crew’s leak site after a Salesforce-linked misconfiguration spilled what it has been reported that are 13.5 million records. Have I Been Pwned says the haul includes names, phone numbers, email addresses and some physical addresses. McGraw Hill described the source as a “limited” Salesforce-hosted webpage, but the data now circulating reportedly tops 100 GB and covers 13.5 million email addresses.

Claims and counterclaims

ShinyHunters’ listing — seen by reporters — claims the group holds “over 40M Salesforce records containing PII data” and accuses the publisher of failing to pay a ransom before an April 14 deadline. McGraw Hill has not posted anything about the incident on its site and did not answer questions from The Register, though in statements to other outlets it said the activity “appears to be part of a broader issue involving a misconfiguration within Salesforce’s environment that has impacted multiple organizations.” The company also insisted the intrusion “did not involve unauthorized access to McGraw Hill's Salesforce accounts, customer databases, courseware, or internal systems.” That may be technically true — but cold comfort if your contact details are now circulating.

Why it matters

Most compromises linked to Salesforce environments don’t come from a flaw in Salesforce itself, but from stolen credentials, abused OAuth apps or overly permissive integrations that give attackers legitimate access. ShinyHunters has targeted Salesforce-linked setups before, allegedly exploiting connected services rather than breaking into core systems directly in a 2025 campaign. Salesforce did not respond to requests for comment.

For McGraw Hill — a company built on trust, learning platforms and assessments — the irony stings. What lesson? Even a “limited” exposure can become a full-blown problem once it escapes the sandbox. How safe is the data you hand over to education platforms? That’s the question millions of users will now be asking.

Sources: The Register