McGraw-Hill confirms limited data exposure linked to Salesforce misconfiguration

McGraw-Hill, a global education company specializing in textbooks and digital learning platforms, has confirmed that unauthorized access to a limited set of its data occurred due to a Salesforce misconfiguration, following claims by the hacking group ShinyHunters.

The company identified the incident as part of a broader issue affecting multiple organizations using Salesforce, a widely deployed customer relationship management platform. The unauthorized access involved a webpage hosted within Salesforce’s environment, rather than direct intrusion into McGraw-Hill’s core systems.

McGraw-Hill stated that its Salesforce accounts, customer databases, courseware and internal systems were not compromised. The company emphasized that the exposed data is limited in scope and does not include sensitive information such as Social Security numbers, financial account details or student data from its educational platforms.

The incident came to light after ShinyHunters listed McGraw-Hill on its dark web portal, claiming to possess 45 million Salesforce records tied to the company and threatening to release the data by April 14 unless a ransom is paid. The group asserted that the dataset contains personally identifiable information, a claim that contrasts with the company’s assessment of the breach.

Upon detecting the unauthorized activity, McGraw-Hill secured the affected webpages and initiated an investigation with the assistance of external cybersecurity experts. The company is also working with Salesforce to reinforce security measures and address the underlying misconfiguration.

McGraw-Hill generates approximately $2.2 billion in annual revenue and serves K-12 schools, universities and professional learners worldwide through its publishing and digital education offerings.

ShinyHunters has been linked to a series of high-profile cyber incidents in 2026, targeting organizations across sectors including technology, hospitality and government. The group’s ongoing campaign has frequently involved exploiting access to Salesforce environments and issuing public ransom demands tied to alleged data theft.