ShinyHunters extorts McGraw Hill via Salesforce misconfiguration
Financially-motivated cybercrime collective active since April 2020, responsible for some of the largest data-theft and extortion incidents of the post-2020 era. Operationally blends credential-stuff…
Summary
ShinyHunters leaked 13.5 million McGraw Hill user accounts after exploiting a misconfigured Salesforce-hosted webpage to extract internal data. The leak — totalling 100GB+ of PII across customer-account records — followed the same operational pattern as the group's mid-2024 Snowflake-customer wave: credential-replay or misconfiguration exploitation against a cloud-data platform, mass exfiltration, and public extortion via leak-forum posting. McGraw Hill is one of several confirmed 2026 Salesforce-platform victims; researchers assess the broader campaign as ongoing.