Edtech giant McGraw Hill confirmed a breach (dated around 10 April 2026, surfacing mid-April) after ShinyHunters' extortion threat; about 13.5 million accounts were exposed — emails, names, phone numbers and physical addresses — via a Salesforce misconfiguration. When negotiations failed, the group published over 100 GB of data. McGraw Hill said the exposed data was limited and did not include Social Security numbers, financial information or student data from its learning platforms. We discuss misconfiguration risk and the limits of non-sensitive data.

Need a configuration and exposure review of your SaaS estate? Visit www.kinsoft.com.au to talk through your security and IT needs.

Sources: BleepingComputer; The Register.