Education publishing giant McGraw-Hill has confirmed a data breach following an extortion attempt, with more than 100GB of stolen data now publicly distributed online, exposing the personal information of approximately 13.5 million users.
The breach, disclosed in April 2026, stems from a misconfiguration in McGraw-Hill’s Salesforce environment. According to the company, the incident exposed “a limited set of data from a webpage hosted by Salesforce on its platform.” However, the scale of the leaked data tells a broader story.
After the extortion attempt failed to yield results, threat actors publicly released the stolen dataset. According to Have I Been Pwned the dumped files found 13.5 million unique email addresses spread across multiple files, with additional personal data fields including names, phone numbers, and physical addresses appearing inconsistently across various records.
What Data Was Compromised
The exposed dataset reportedly includes:
- Email addresses (13.5 million unique entries)
- Full names
- Phone numbers
- Physical addresses
Not all records contained every data field, suggesting the breach pulled from multiple database sources or that data completeness varied across user accounts.
Salesforce misconfigurations have become an increasingly common attack vector targeting enterprises that rely on the platform for customer and user data management.
In this case, a misconfigured webpage appears to have made sensitive user data accessible without proper authentication controls, a critical oversight for a company handling millions of student and educator records.
McGraw-Hill serves a global audience of students, educators, and academic institutions, making the exposure of this data particularly concerning. Victims may face phishing attempts, targeted social engineering attacks, and spam campaigns leveraging the leaked contact details.
McGraw-Hill’s Response
The company has acknowledged the breach and attributed it to the Salesforce misconfiguration, though it characterized the exposed data as limited. Critics argue that 13.5 million records and over 100GB of publicly released data represent a significant incident that goes beyond a minor configuration error.
Affected users are advised to:
- Be alert to phishing emails impersonating McGraw-Hill or affiliated educational institutions
- Monitor for unsolicited calls or messages using personal details
- Consider updating passwords associated with their McGraw-Hill accounts
- Watch for suspicious activity linked to their email addresses using breach monitoring services
The incident underscores the risks that cloud platform misconfigurations pose to organizations storing large volumes of user data and the reputational and legal consequences that follow when threat actors escalate extortion attempts by going public with stolen records.
