ShinyHunters Listed 45 Million Salesforce Records From McGraw-Hill on a Dark Web Portal. The Deadline Passed Yesterday.
McGraw-Hill confirms a breach via Salesforce misconfiguration and calls the exposed data 'limited and non-sensitive.' ShinyHunters claims 45 million PII records and set a ransom deadline of April 14. That deadline has now passed. This is not an isolated incident — the same misconfiguration class has hit multiple organisations in the same infrastructure layer.
On April 14, 2026, McGraw-Hill confirmed what ShinyHunters had been threatening for days: the education technology company suffered a data breach through a Salesforce misconfiguration that exposed records hosted on Salesforce-managed web infrastructure.
The confirmation came with immediate minimisation. McGraw-Hill described the exposed data as 'a limited set of data from a webpage hosted by Salesforce on its platform' — characterising it as non-sensitive and explicitly stating no SSNs, financial data, student records, courseware, or internal systems were involved. Affected pages were secured upon discovery.
ShinyHunters says otherwise. The group, operating from their own dark web extortion portal, claims to have extracted 45 million Salesforce records containing personally identifiable information, and set a ransom deadline of April 14, 2026. That deadline has now passed. When ShinyHunters deadlines expire unpaid, data is typically released or sold. The gap between 'limited and non-sensitive' and '45 million PII records' is a gap that will close in the open — one way or another.
ShinyHunters in 2026: industrialised data extortion
ShinyHunters is not a new actor. The group has operated for several years and built a track record of high-volume data theft followed by structured extortion campaigns. What distinguishes their 2026 activity is the operational cadence and the calibre of targets.
In 2026 alone, confirmed ShinyHunters victims include Rockstar Games, Hims & Hers (the telehealth company), and the European Commission — alongside McGraw-Hill. The breadth of targeting — entertainment, healthcare, public sector, education — is not opportunistic. It reflects a systematic approach to identifying cloud misconfiguration exposure across high-value organisations and monetising it through dark web extortion infrastructure the group controls.
ShinyHunters operates their own extortion portal on the dark web, a step beyond the typical ransomware group approach of posting victim listings on someone else's leak site. Running their own portal gives them direct control over publication timing, negotiation pressure, and data distribution — and makes their deadline commitments credible. When the clock on their portal runs out, they have both the technical capability and the financial incentive to follow through.
“ShinyHunters has listings from Rockstar Games, Hims & Hers, and the European Commission in 2026. McGraw-Hill is not a random target. It fits a pattern of high-profile organisations with cloud-hosted infrastructure exposure.”
— SharkStriker — April 2026 Data Breaches Report
The root cause: Salesforce misconfiguration as an attack surface
The McGraw-Hill breach was not caused by a zero-day vulnerability or a sophisticated exploit chain. It was caused by a misconfiguration — specifically, the way Salesforce hosted web pages on behalf of the organisation exposed data that should have been inaccessible to unauthenticated external requests.
Salesforce's Experience Cloud and related hosted page products allow organisations to build customer-facing portals, partner sites, and web pages powered by Salesforce data. When sharing rules, guest user access permissions, or object-level security is misconfigured, these pages can expose data through Salesforce's own APIs without any credential requirement.
This is not a novel attack class. Salesforce misconfiguration-based exposure has been a documented issue for several years. What changed in 2026 is that threat actors — including ShinyHunters — have added systematic Salesforce exposure scanning to their initial access reconnaissance workflows. McGraw-Hill is one of multiple organisations believed to be affected by the same misconfiguration class. The company confirmed the breach affected 'a webpage hosted by Salesforce on its platform' — language that describes a known exposure pattern in Salesforce's hosted infrastructure products.
45 million records vs 'limited and non-sensitive': the credibility gap
The most operationally significant aspect of this breach is not the confirmed data — it is the discrepancy between what McGraw-Hill has confirmed and what ShinyHunters claims.
McGraw-Hill's statement is narrowly worded and carefully scoped: it explicitly states no SSNs, no financial data, no student data, no courseware, and no internal systems. This is the language of a legal disclosure designed to minimise reputational damage, and it is consistent with what a company would say if the exposed data was limited to marketing records, contact lists, or publicly accessible page content.
ShinyHunters claims 45 million records containing PII. That figure — if accurate — is not a data leak from a misconfigured public-facing page. It is a systematic extraction. The resolution of this discrepancy will come when, or if, ShinyHunters publishes the data. At that point, security researchers and affected individuals will be able to assess the actual scope independently of either party's characterisation.
For organisations with employees, customers, or partners who interact with McGraw-Hill's digital products, the practical guidance is the same regardless of who is right: assume exposure of any data you have shared with McGraw-Hill digital platforms and monitor accordingly.
“McGraw-Hill characterises it as 'limited and non-sensitive.' ShinyHunters claims 45 million records. The truth will be determined by what gets published — not by what gets announced.”
— Decryption Digest analysis — April 15, 2026
The extortion timeline
Based on available intelligence, here is the sequence of events:
Initial access — Salesforce misconfiguration exploited
ShinyHunters identifies and exploits a Salesforce-hosted page misconfiguration that exposes data via unauthenticated API access. The specific timeline of initial access is not confirmed.
Data exfiltration — 45M records claimed
ShinyHunters extracts data from the misconfigured Salesforce environment. They claim 45 million records containing PII, contradicting McGraw-Hill's later characterisation of the exposure as limited.
Dark web listing — extortion portal goes live
ShinyHunters lists McGraw-Hill as a victim on their dark web extortion portal, publishing the claim of 45 million records and setting a ransom deadline of April 14, 2026.
April 14, 2026 — McGraw-Hill confirms breach and secures affected pages
McGraw-Hill publishes a statement confirming unauthorised access via Salesforce misconfiguration. Affected pages are secured. The company characterises the exposure as limited and non-sensitive. The ransom deadline expires the same day.
April 15, 2026 — Data not yet published; deadline window closes
As of April 15, the stolen data has not been publicly released. ShinyHunters typically follows through on expired deadlines by publishing or selling. Threat intelligence monitoring is required.
What to do right now
Five immediate actions for security and IT teams:
Audit all Salesforce-hosted pages for guest user and sharing misconfiguration
Run Salesforce's Health Check tool immediately. Review Experience Cloud sites and any Salesforce-hosted pages for guest user permissions, public sharing rules, and object-level field exposure. Revoke any guest access to objects containing PII, financial data, or internal records. Treat any public-facing Salesforce page as an external attack surface.
Review field-level security across publicly accessible Salesforce objects
Check field-level security settings on all objects exposed through hosted pages. Guest users should have access only to the minimum fields required for the page to function. Any field containing name, email, phone, address, or account information should be explicitly restricted from guest profiles.
Enable Salesforce Shield if handling sensitive data
Salesforce Shield provides platform encryption, event monitoring, and field audit trails. Organisations handling PII at scale should have Shield enabled and event monitoring configured to alert on bulk data access patterns — the type of systematic extraction ShinyHunters uses would generate anomalous query volume that Shield event monitoring would surface.
Monitor dark web sources for your organisation's data
Set up monitoring for your organisation's domain, employee email patterns, and customer data indicators across dark web markets and paste sites. ShinyHunters typically publishes or sells data within days of a missed deadline. Early detection allows incident response to begin before affected individuals are targeted.
Assess third-party Salesforce exposure across your supply chain
If your organisation shares data with third parties who use Salesforce — customers, partners, vendors — assess whether their Salesforce configuration could expose your data. Third-party cloud misconfiguration is a supply chain risk. The same Salesforce misconfiguration class that hit McGraw-Hill may affect other organisations in your ecosystem.
The bottom line
The McGraw-Hill breach is a case study in how cloud misconfiguration becomes a dark web intelligence product. ShinyHunters did not need a zero-day. They did not need to compromise a network perimeter or bypass an EDR. They needed a Salesforce-hosted page with a misconfigured sharing rule — and the infrastructure to turn that access into a 45-million-record claim and a ransom countdown.
The ransom deadline has passed. The data has not been published yet. But the window between 'deadline expired' and 'data released' is typically measured in days, not weeks. If you are a McGraw-Hill customer, partner, or employee with data on their platforms: monitor your exposure now, not after the publication.
And if your organisation uses Salesforce to host any public-facing pages: run the Health Check today. Not this quarter. Today. ShinyHunters is scanning for your misconfiguration right now, and they do not need an invitation.
Frequently asked questions
What data was stolen from McGraw-Hill by ShinyHunters?
McGraw-Hill states that 'a limited set of data from a webpage hosted by Salesforce on its platform' was accessed, characterising it as non-sensitive with no SSNs, financial data, or student records. ShinyHunters claims to possess 45 million Salesforce records containing personally identifiable information — a significant discrepancy that will only be resolved once (or if) the data is published.
Who are ShinyHunters?
ShinyHunters is a well-established cybercriminal threat actor known for large-scale data theft and extortion. They operate their own dark web extortion portal where they list victims and apply ransom pressure. In 2026, confirmed victims include McGraw-Hill, Rockstar Games, Hims & Hers, and the European Commission.
What is the Salesforce misconfiguration that caused the McGraw-Hill breach?
The breach exploited a misconfiguration within Salesforce's hosted web infrastructure — specifically pages hosted by Salesforce on behalf of client organisations. The misconfiguration allowed unauthorised access to data on those hosted pages. McGraw-Hill is one of multiple organisations believed to be affected by the same vulnerability class.
What other companies were affected by the same Salesforce misconfiguration?
McGraw-Hill confirmed the breach affected 'a webpage hosted by Salesforce on its platform.' While multiple organisations are believed to be exposed via the same misconfiguration class, not all have confirmed breaches. ShinyHunters' 2026 activity has targeted Rockstar Games, Hims & Hers, and the European Commission — though not all through the same Salesforce vector.
Has the stolen McGraw-Hill data been published on the dark web?
As of April 15, 2026, the data had not been publicly released. ShinyHunters set a ransom deadline of April 14, 2026. The deadline has passed. When ransom deadlines expire without payment, ShinyHunters typically publishes data on their extortion portal or sells it to other threat actors. Monitor threat intelligence feeds closely.
What should organisations using Salesforce do right now?
Audit all Salesforce-hosted pages and Experience Cloud sites for misconfigured sharing rules, guest user access, and public-facing object exposure. Run Salesforce's Health Check tool. Review field-level security settings on any objects exposed via hosted pages. Enable Salesforce Shield if handling sensitive data. Treat any Salesforce-hosted public page as a potential external attack surface.
Sources & references
- BleepingComputer — McGraw-Hill confirms data breach following extortion threat
- SharkStriker — April 2026 Data Breaches
- SharkStriker — Top Ransomware Attacks of 2026
- Cyble — 10 New Ransomware Groups of 2025 & Threat Trends for 2026
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.