Cyber-crime Textbook titan McGraw Hill on ransomware crew's reading list after 13.5M records exposed Publisher claims misconfigured Salesforce-hosted page leaked data Carly Page Thu 16 Apr 2026 // 11:49 UTC Textbook giant McGraw Hill has landed on a ransomware crew's leak site after an alleged Salesforce-linked misconfiguration spilled 13.5 million records into the wild. Have I Been Pwned says the breach exposed names, phone numbers, email addresses, and some physical addresses. McGraw Hill described the source as a "limited" Salesforce-hosted webpage – though the data now circulating publicly tops 100 GB and covers 13.5 million email addresses. Most Salesforce compromises don't stem from flaws in Salesforce itself, but from stolen credentials, abused OAuth apps, or over-permissioned integrations that give attackers legitimate access to quietly pull data. The breach surfaced earlier this week when the ShinyHunters crew added McGraw Hill to its dark web leak site alongside other victims, including Rockstar Games . The listing, seen by The Register , says the group has "over 40M Salesforce records containing PII data" and accuses the company of failing to pay a ransom before an April 14 deadline. McGraw Hill has kept quiet on its own channels, with no mention of the incident on its website and no response to The Register 's questions. In statements to other outlets , however, it claimed the activity "appears to be part of a broader issue involving a misconfiguration within Salesforce's environment that has impacted multiple organizations." Microsoft announces product it doesn't want you to buy: Extended security updates for old Exchange, and Skype for Biz Commvault has a Ctrl+Z for rogue AI agents Anthropic's Project Glasswing CVE tally is still anyone's guess Raspberry Pi OS ends open-door policy for sudo The publisher was also keen to draw a line around the damage, insisting the intrusion "did not involve unauthorized access to McGraw Hill's Salesforce accounts, customer databases, courseware, or internal systems." That may be technically accurate, though it's unlikely to be much comfort to anyone whose personal details may now be circulating online. Salesforce did not respond to The Register's questions. ShinyHunters has targeted Salesforce-linked environments before, including a 2025 campaign that exploited weaknesses in connected services rather than breaking into core systems directly. For McGraw Hill – an outfit built on digital learning platforms and assessments spanning K-12 through to professional training – the irony is hard to miss. The lesson here, at least for those caught up in the mess, is that even "limited" exposure can add up fast once it escapes into the open. ® Share More about Ransomware More like these × More about Ransomware Narrower topics REvil Wannacry Broader topics Security More about Share POST A COMMENT More about Ransomware More like these × More about Ransomware Narrower topics REvil Wannacry Broader topics Security TIP US OFF Send us news