McGraw Hill confirms data breach after leaked dataset exposes 13.5 million email addresses
4 min. read 
Published on
McGraw Hill has confirmed a data breach tied to a Salesforce-related misconfiguration, after an extortion attempt ended with stolen data being released online. Independent breach tracking by Have I Been Pwned says the exposed dataset contains 13.5 million unique email addresses, making this one of the bigger education-sector data exposures disclosed this month.
The company says the incident did not come from a breach of its core internal systems. In a statement reported by multiple outlets, McGraw Hill said it identified unauthorized access to “a limited set of data from a webpage hosted by Salesforce on its platform” and described it as part of a broader issue involving a misconfiguration in Salesforce’s environment affecting multiple organizations.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
That narrower company description does not fully match the size of the data now circulating. Have I Been Pwned says the exposed records include 13.5 million unique email addresses, while reporting on the leaked files says names, phone numbers, and physical addresses also appear in parts of the dataset, although not every record includes every field.
What appears to have been exposed
Right now, the clearest confirmed number is the 13.5 million email addresses counted by Have I Been Pwned. Some reports also describe the dump as more than 100GB and note that the leaked files contain additional personal details in inconsistent formats, which suggests either multiple source tables or uneven data quality across affected records.
McGraw Hill has also tried to set limits around what was not exposed. The company said the incident did not involve unauthorized access to its Salesforce accounts, customer databases, courseware, or internal systems, and that Social Security numbers, financial account information, and student data generated by its educational platforms were not compromised.
Even with those limits, the breach still matters. Email addresses, names, phone numbers, and street addresses can fuel phishing, impersonation, and targeted social engineering, especially when the affected organization serves schools, teachers, students, and administrators. That risk is an inference based on the kinds of contact data reported in the leak and the sectors McGraw Hill serves.
Why this breach stands out
One reason this story is getting attention is the gap between different record counts. McGraw Hill described the exposure as limited, while the ShinyHunters extortion group claimed it had stolen 45 million Salesforce records. Have I Been Pwned independently validated a smaller but still very large dataset of 13.5 million unique email addresses.
That does not automatically mean one side is lying. Threat actors often exaggerate, and leaked datasets can contain duplicates, incomplete entries, or records from different sources. Based on the currently public evidence, 13.5 million exposed email addresses is the most grounded public figure.
The other reason this matters is the attack path itself. Reports describe the incident as tied to a misconfigured Salesforce-hosted web component rather than a direct compromise of McGraw Hill’s full platform. That adds to growing concern around cloud configuration mistakes, where a single exposed component can spill large volumes of user data without a classic ransomware-style intrusion into every backend system.
Breach details at a glance
| Item | What is currently confirmed |
|---|---|
| Company | McGraw Hill |
| Disclosure window | April 2026 |
| Reported cause | Salesforce-related misconfiguration |
| Publicly validated count | 13.5 million unique email addresses |
| Other reported exposed data | Names, phone numbers, physical addresses |
| Company says not exposed | Salesforce accounts, customer databases, courseware, internal systems, SSNs, financial account data, student platform-generated data |
| Threat actor linked in reporting | ShinyHunters |
What affected users should do
- Watch for phishing emails that mention McGraw Hill, school access, invoices, password resets, or account verification.
- Be cautious with calls or texts that use your real name, email, phone number, or address to sound convincing.
- Change your McGraw Hill password if you still use one, especially if it matches passwords used elsewhere. This is general security advice based on the nature of the exposed data.
- Check whether your email appears in the breach database maintained by Have I Been Pwned.
- Turn on multifactor authentication anywhere you can, especially on email accounts tied to school or work services. This is general best practice.
FAQ
McGraw Hill said attackers gained unauthorized access to a limited set of data through a webpage hosted on Salesforce, and the exposure appears tied to a broader Salesforce misconfiguration issue.
The strongest public count right now comes from Have I Been Pwned, which says the leaked data contains 13.5 million unique email addresses.
Public reporting says the leaked files include email addresses and, in some records, names, phone numbers, and physical addresses. Not every record contains every field.
McGraw Hill said Social Security numbers, financial account information, and student data generated by its educational platforms were not compromised.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages