Textbook titan McGraw Hill on ransomware crew's reading list after 13.5M records exposed
(2026/04/16)
- Reference: 1776340175
- News link: https://www.theregister.co.uk/2026/04/16/mcgraw_hill_salesforce/
- Source link:
Textbook giant McGraw Hill has landed on a ransomware crew's leak site after an alleged Salesforce-linked misconfiguration spilled 13.5 million records into the wild.
[1]Have I Been Pwned says the breach exposed names, phone numbers, email addresses, and some physical addresses. McGraw Hill described the source as a "limited" Salesforce-hosted webpage – though the data now circulating publicly tops 100 GB and covers 13.5 million email addresses.
Most Salesforce compromises don't stem from flaws in Salesforce itself, but from stolen credentials, abused OAuth apps, or over-permissioned integrations that give attackers legitimate access to quietly pull data.
[2]
The breach surfaced earlier this week when the ShinyHunters crew added McGraw Hill to its dark web leak site alongside other victims, [3]including Rockstar Games . The listing, seen by The Register , says the group has "over 40M Salesforce records containing PII data" and accuses the company of failing to pay a ransom before an April 14 deadline.
[4]
[5]
McGraw Hill has kept quiet on its own channels, with no mention of the incident on its website and no response to The Register 's questions. In statements to [6]other outlets , however, it claimed the activity "appears to be part of a broader issue involving a misconfiguration within Salesforce's environment that has impacted multiple organizations."
[7]Microsoft announces product it doesn't want you to buy: Extended security updates for old Exchange, and Skype for Biz
[8]Commvault has a Ctrl+Z for rogue AI agents
[9]Anthropic's Project Glasswing CVE tally is still anyone's guess
[10]Raspberry Pi OS ends open-door policy for sudo
The publisher was also keen to draw a line around the damage, insisting the intrusion "did not involve unauthorized access to McGraw Hill's Salesforce accounts, customer databases, courseware, or internal systems." That may be technically accurate, though it's unlikely to be much comfort to anyone whose personal details may now be circulating online.
Salesforce did not respond to The Register's questions.
ShinyHunters has targeted Salesforce-linked environments before, including a 2025 campaign that exploited weaknesses in connected services rather than breaking into core systems directly.
[11]
For McGraw Hill – an outfit built on digital learning platforms and assessments spanning K-12 through to professional training – the irony is hard to miss. The lesson here, at least for those caught up in the mess, is that even "limited" exposure can add up fast once it escapes into the open. ®
Get our [12]Tech Resources
[1] https://haveibeenpwned.com/Breach/McGrawHill
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aeEHpN3oGCl87HCmLprLuQAAAYA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.theregister.com/2026/04/13/shinyhunters_rockstar_breach/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aeEHpN3oGCl87HCmLprLuQAAAYA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aeEHpN3oGCl87HCmLprLuQAAAYA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.bleepingcomputer.com/news/security/mcgraw-hill-confirms-data-breach-following-extortion-threat/
[7] https://www.theregister.com/2026/04/16/microsoft_exchange_skype/
[8] https://www.theregister.com/2026/04/14/commvault_has_a_ctrlz_for/
[9] https://www.theregister.com/2026/04/15/project_glasswing_cves/
[10] https://www.theregister.com/2026/04/15/raspberry_pi_os_sudo/
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aeEHpN3oGCl87HCmLprLuQAAAYA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://whitepapers.theregister.com/
[1]Have I Been Pwned says the breach exposed names, phone numbers, email addresses, and some physical addresses. McGraw Hill described the source as a "limited" Salesforce-hosted webpage – though the data now circulating publicly tops 100 GB and covers 13.5 million email addresses.
Most Salesforce compromises don't stem from flaws in Salesforce itself, but from stolen credentials, abused OAuth apps, or over-permissioned integrations that give attackers legitimate access to quietly pull data.
[2]
The breach surfaced earlier this week when the ShinyHunters crew added McGraw Hill to its dark web leak site alongside other victims, [3]including Rockstar Games . The listing, seen by The Register , says the group has "over 40M Salesforce records containing PII data" and accuses the company of failing to pay a ransom before an April 14 deadline.
[4]
[5]
McGraw Hill has kept quiet on its own channels, with no mention of the incident on its website and no response to The Register 's questions. In statements to [6]other outlets , however, it claimed the activity "appears to be part of a broader issue involving a misconfiguration within Salesforce's environment that has impacted multiple organizations."
[7]Microsoft announces product it doesn't want you to buy: Extended security updates for old Exchange, and Skype for Biz
[8]Commvault has a Ctrl+Z for rogue AI agents
[9]Anthropic's Project Glasswing CVE tally is still anyone's guess
[10]Raspberry Pi OS ends open-door policy for sudo
The publisher was also keen to draw a line around the damage, insisting the intrusion "did not involve unauthorized access to McGraw Hill's Salesforce accounts, customer databases, courseware, or internal systems." That may be technically accurate, though it's unlikely to be much comfort to anyone whose personal details may now be circulating online.
Salesforce did not respond to The Register's questions.
ShinyHunters has targeted Salesforce-linked environments before, including a 2025 campaign that exploited weaknesses in connected services rather than breaking into core systems directly.
[11]
For McGraw Hill – an outfit built on digital learning platforms and assessments spanning K-12 through to professional training – the irony is hard to miss. The lesson here, at least for those caught up in the mess, is that even "limited" exposure can add up fast once it escapes into the open. ®
Get our [12]Tech Resources
[1] https://haveibeenpwned.com/Breach/McGrawHill
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aeEHpN3oGCl87HCmLprLuQAAAYA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.theregister.com/2026/04/13/shinyhunters_rockstar_breach/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aeEHpN3oGCl87HCmLprLuQAAAYA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aeEHpN3oGCl87HCmLprLuQAAAYA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.bleepingcomputer.com/news/security/mcgraw-hill-confirms-data-breach-following-extortion-threat/
[7] https://www.theregister.com/2026/04/16/microsoft_exchange_skype/
[8] https://www.theregister.com/2026/04/14/commvault_has_a_ctrlz_for/
[9] https://www.theregister.com/2026/04/15/project_glasswing_cves/
[10] https://www.theregister.com/2026/04/15/raspberry_pi_os_sudo/
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aeEHpN3oGCl87HCmLprLuQAAAYA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://whitepapers.theregister.com/
Ah, yes. McGH strikes again. I was kind of wondering why some McGH content was... not accessable... over the weekend. Fortunately the creds I use for McGH stuff are restricted to just McGH, a quite specific username and a 15 character password, two capital letters, two numbers, two symbols, rest lower case letters. I think that I'll be changing the password, though. Changing the username may be... difficult... due to the way that McGH operates.
Let's just say that I am totally unsurprised by McGH screwing up. And that McGH is actually better at security than Cengage, or, God help us, Wiley. This is not to say that McGH is good at security; it's just that the competition is pretty bad.