:

McGraw Hill breach exposes 13.5M user accounts

SECURITY DESK2 MIN READ
THU, APR 16, 2026

■ AI-SUMMARIZED FROM 1 SOURCE ▸ TIMELINE

The ShinyHunters extortion group has leaked data from 13.5 million McGraw Hill user accounts following a breach of the edtech company's Salesforce environment. The stolen data was disclosed earlier this month.

McGraw Hill, one of the world's largest educational technology companies, confirmed the security incident affecting its user base. The breach occurred within the company's Salesforce infrastructure, a common attack vector for threat actors targeting enterprise systems. ShinyHunters, the extortion group responsible for the leak, has made the stolen data publicly available. The compromised accounts represent a significant portion of McGraw Hill's user base, which includes students, educators, and institutional clients across multiple platforms. McGraw Hill serves millions of users globally through its education technology platforms, digital learning tools, and assessment systems. The breach potentially exposes personal information associated with these accounts, though the company has not yet detailed the specific data categories affected. This incident marks another major security event targeting educational institutions and edtech providers. In recent years, the sector has become increasingly attractive to threat actors seeking valuable user data and institutional information. Companies relying on third-party platforms like Salesforce face inherited security risks. While Salesforce itself remains widely used, misconfigured instances and inadequate access controls have proven vulnerabilities in enterprise deployments. McGraw Hill has not announced mandatory password resets or detailed remediation steps for affected users. The company typically faces regulatory scrutiny under various education privacy laws and data protection regulations depending on jurisdictions served. Users of McGraw Hill platforms should monitor accounts for suspicious activity and consider changing credentials as a precautionary measure. The company is expected to issue formal guidance to affected users in coming days.

■ SOURCES

Bleeping Computer

■ SUMMARY WRITTEN BY AI FROM THE LINKS ABOVE

■ MORE FROM THE SECURITY DESK

A new macOS malware called CrashStealer disguises itself as Apple's crash-reporting tool to steal credentials, keychain data, and cryptocurrency wallets from infected systems.

1H AGOSecurity Desk

Security firm Jscrambler disclosed that attackers published a malicious version of its npm package, which was downloaded nearly 1,500 times before detection. The compromised package contained infostealer malware targeting developer systems.

1H AGOSecurity Desk

Security researchers are turning prompt injection attacks into a defensive weapon. The technique, called "context bombing," forces malicious AI agents to shut down before causing damage.

3H AGOIndustry Desk

The Los Angeles Police Department has allowed its contract with surveillance company Flock to expire, citing serious civil liberties and privacy concerns. The move marks a significant departure for one of Flock's largest government customers.

5H AGOSecurity Desk

■ SUBSCRIBE TO THE DAILY BRIEF

ONE EMAIL, 5 STORIES, 06:00 UTC. UNSUBSCRIBE ANYTIME.