A data breach affecting McGraw Hill has exposed information linked to approximately 13.5 million user accounts following a cyber incident tied to a third-party platform.
The company confirmed that unauthorised access occurred through a webpage hosted on the Salesforce platform, which was affected by a misconfiguration. The incident is described as part of a broader issue impacting multiple organisations using the same service.
According to the company, the breach did not involve direct access to its core systems, including internal networks, customer databases, or digital learning platforms. It also stated that Social Security numbers, financial account information, and student-generated data were not exposed.
The breach came to light after the threat group ShinyHunters listed McGraw Hill on its leak site and claimed to have stolen 45 million records containing personal information. The group issued a ransom demand and threatened to publish the data if payment was not made.
Data later shared through breach tracking services indicates that more than 100 GB of information was released, including 13.5 million unique email addresses. Additional records may contain names, physical addresses, and phone numbers, although these fields were not consistently present across all entries.
The exposed data is described as personally identifiable information that could be used in targeted phishing campaigns. The presence of contact details linked to user accounts increases the likelihood of fraudulent communications that reference legitimate services.
McGraw Hill stated that the affected webpage was secured after the activity was identified and that it is working with Salesforce to address the issue. The company said the incident was limited in scope and did not result from a compromise of its internal infrastructure.
The discrepancy between the company’s description of a limited dataset and the threat actor’s claim of a larger volume of records has not been resolved. The total number of individuals affected beyond the identified email addresses has not been disclosed.
The incident is part of a series of breaches linked to ShinyHunters, which has targeted organisations by exploiting access to cloud-based services and third-party platforms rather than direct system intrusions.