McGraw Hill breach exposed 13.5 million accounts after Salesforce webpage misconfiguration
McGraw Hill confirmed that attackers accessed a limited set of internal data through a misconfigured Salesforce-hosted webpage, after the ShinyHunters extortion group claimed responsibility and threatened to publish stolen information unless a ransom was paid. The company said the incident was tied to a broader issue affecting multiple organizations using Salesforce-hosted environments and maintained that its Salesforce accounts, customer databases, courseware, internal systems, Social Security numbers, financial account information, and student data from its educational platforms were not impacted.
After the extortion deadline passed, data tied to 13.5 million McGraw Hill user accounts was reportedly leaked publicly, with Have I Been Pwned saying the dump contained more than 100GB of files, including unique email addresses and some names, physical addresses, and phone numbers. The leak contradicted earlier company statements that the exposed data was limited and non-sensitive, while ShinyHunters separately claimed to hold 45 million Salesforce records; McGraw Hill said it secured the affected webpages, brought in external cybersecurity experts, and is working with Salesforce to strengthen protections.
Timeline
May 3, 2026
ShinyHunters lists Instructure Holdings as a victim
A RedPacket Security post reported that ShinyHunters had identified Instructure Holdings, Inc., associated with Canva LMS and instructure.com, as a ransomware/extortion victim. This represents a separate victim disclosure from the previously documented McGraw-Hill incident.
Apr 16, 2026
ShinyHunters leaks McGraw-Hill data affecting 13.5 million accounts
After the extortion threat, ShinyHunters publicly leaked more than 100GB of data tied to 13.5 million McGraw-Hill user accounts. Have I Been Pwned reported the exposed files contained 13.5 million unique email addresses along with some names, physical addresses, and phone numbers.
Apr 14, 2026
McGraw-Hill confirms limited data breach tied to Salesforce-hosted webpage
McGraw-Hill confirmed that attackers accessed a limited set of internal data through a misconfigured webpage hosted on Salesforce. The company said its Salesforce accounts, customer databases, courseware, internal systems, financial data, Social Security numbers, and student platform data were not affected, and that it secured the webpage and engaged external cybersecurity experts.
Apr 14, 2026
ShinyHunters claims McGraw-Hill breach and issues extortion threat
The ShinyHunters extortion group listed McGraw-Hill on its leak site, claiming it had stolen 45 million Salesforce records containing personally identifiable information. The group threatened to publish the data unless a ransom was paid, with publication set for April 14.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Affected Products
Sources
2 more from sources like bleeping computer and rescana blog
Related Stories
ShinyHunters Claims Cisco Breach Exposed Salesforce Records and Cloud Data
ShinyHunters has claimed responsibility for breaching Cisco and stealing more than **3 million Salesforce records** along with internal corporate data, **GitHub repositories**, and contents from **AWS S3 buckets**, then posted a **"FINAL WARNING"** on its leak site threatening to publish the data after April 3. Reports said the alleged haul may include information tied to Cisco customers, employees, and personnel from U.S. and foreign government agencies, while screenshots shared by the group purportedly showed access to Cisco-linked AWS infrastructure and multiple connected cloud accounts. The intrusion was linked in reporting to three alleged access paths involving **Salesforce CRM**, **Salesforce Aura/Experience Cloud**, and AWS environments, and to activity tracked as **`UNC6040`** and **`UNC6395`**. Threat intelligence cited in the coverage said the attackers have used **vishing** to trick employees into approving malicious Salesforce OAuth applications, then abused stolen tokens to bypass MFA and move deeper into cloud environments; recommended defenses included auditing connected OAuth apps, revoking suspicious tokens, tightening API access controls, and monitoring for unauthorized Salesforce Data Loader activity. Cisco had not publicly addressed the March 2026 extortion claim at the time of reporting.
3 days ago
Infinite Campus says Salesforce account breach exposed school staff contact data
Infinite Campus, a major U.S. K-12 student information system provider, disclosed a security incident after a threat actor accessed an employee’s **Salesforce** account used for internal case management and ticketing and then attempted to extort the company. The company said the intrusion did **not** reach its student information system or customer databases, and that the data believed exposed was limited mainly to school staff names and contact details, much of it already publicly available. Threat actor **ShinyHunters** claimed responsibility, added Infinite Campus to its leak site, and threatened to publish allegedly stolen Salesforce records and internal corporate data if the company did not negotiate. Infinite Campus said it disabled the compromised account, began reviewing potentially affected Salesforce data for sensitive information that may have appeared in support tickets, and is notifying districts directly if further issues are identified. As a precaution, it also disabled some customer-facing services for organizations without IP restrictions while restoration work continued. The incident drew attention across the K-12 sector, with the North Carolina Department of Public Instruction saying it was in direct contact with the company and had not confirmed any impact to the state’s system, while Infinite Campus maintained that **no student data was breached**.
1 months ago
Salesforce Data Breach and Ransomware Group Data Leak Site Targeting Salesloft Drift Integrations
A ransomware group known as Scattered Lapsus$ Hunters, also referred to as ShinyHunters, has launched a darkweb data-leak site to pressure victims of a significant Salesforce data breach into paying extortion demands. The group claims to have stolen 1.5 billion Salesforce records from 760 companies that integrated their Salesforce customer relationship management (CRM) software with the Salesloft Drift artificial intelligence chatbot. The leak site, which debuted on a Friday, lists 39 victim organizations, including major brands such as Cisco, Disney, KFC, Ikea, Marriott, McDonald's, Walgreens, Albertsons, and Saks Fifth Avenue. The attackers are demanding separate ransoms from Salesforce itself to prevent the release of data pertaining to the remaining 721 affected companies. Samples of the stolen data published by the group include extensive personally identifiable information (PII), such as names, dates of birth, nationalities, passport numbers, full contact information, and employment histories. Cybersecurity researcher Milivoj Rajić has tested multiple samples of the leaked data and confirmed their validity, indicating the breach is authentic and the data is genuine. Additional compromised data includes shipping information, marketing lead data, customer support case records, chat transcripts, flight details, and car ownership records. The attack specifically targeted organizations that had integrated Salesforce with the Salesloft Drift AI chatbot, suggesting a possible exploitation of integration points or third-party application vulnerabilities. The public exposure of such a large volume of sensitive data significantly increases the risk of identity theft, fraud, and further targeted attacks against both individuals and organizations. The ransomware group’s strategy of publishing a leak site and naming high-profile victims is designed to maximize pressure and reputational damage, thereby increasing the likelihood of ransom payments. The incident highlights the risks associated with third-party integrations in cloud environments, especially when sensitive customer data is involved. Security teams at affected organizations are likely conducting forensic investigations, assessing the scope of the breach, and notifying impacted customers. The breach underscores the importance of robust access controls, regular security assessments of third-party integrations, and rapid incident response capabilities. Salesforce and Salesloft Drift users are advised to review their security configurations and monitor for suspicious activity. The event has drawn significant attention from the cybersecurity community due to the scale of the breach and the high-profile nature of the victims. Organizations are being urged to remain vigilant and to implement additional security measures to protect against similar attacks in the future.
1 months ago