The extortion group ShinyHunters recently published data linked to 13.5 million McGraw Hill user accounts. The breach resulted from a vulnerability in a third-party webpage, exposing names, emails, and physical addresses. McGraw Hill confirms that internal grading platforms and courseware remain secure.
What Happened
Earlier this month, McGraw Hill identified unauthorized access to a webpage hosted by Salesforce, a cloud-based software company. The extortion group ShinyHunters claimed to possess 45 million records containing personal information and threatened to publish them unless a ransom was paid.
McGraw Hill disputes the scale of these claims. A company spokesperson stated the incident did not involve unauthorized access to core customer databases, grading courseware, or internal systems. While the educational platforms used by schools remain intact, cybercriminals distributed over 100 gigabytes of data online containing user contact information. This exposure stems from a misconfiguration within the Salesforce environment that impacted multiple organizations globally.
The Bigger Picture
Educational technology relies on third-party vendors, which creates vulnerabilities for student data. Schools and universities are common targets for cyberattacks, and managing vendor risk is a security requirement. As we previously reported, a single weak link in a software supply chain can expose sensitive information.
To combat these risks, the education community relies on standardized assessment tools. Many institutions now require software providers to complete a Higher Education Community Vendor Assessment Tool (HECVAT) before purchase. This verifies that a company maintains the cybersecurity policies necessary to protect student data.
One-time assessments are not enough. To monitor these vendors, groups like Internet2 launched the NET+ UpGuard service. Evaluated by multiple higher education institutions, this platform allows IT administrators to spot third-party misconfigurations to catch vulnerabilities before hackers exploit them.
What This Means for Families
While student grades and internal performance records were not altered in the McGraw Hill incident, the exposed contact information creates a risk for identity theft and targeted scams. Criminals use stolen Personally Identifiable Information—such as names, physical addresses, and email addresses—to launch spear-phishing attacks.
Unlike generic spam, spear-phishing uses specific details to make fraudulent messages appear legitimate. Attackers use AI-driven phishing to scrape the internet for context, combining stolen records with artificial intelligence to draft personalized messages. These messages often masquerade as urgent emails from school district offices or familiar education platforms. Because they contain accurate personal details, they bypass traditional spam filters. If a parent or staff member provides login credentials, that compromised account can act as a door for unauthorized access to an entire district’s network.
What You Can Do
Verify urgent requests by treating any email or text message demanding action regarding student accounts with suspicion. If a message claims to be from McGraw Hill or your local school district, do not click the provided links. Use the official website instead.
Implement security tiers, as stolen contact information is the first step in identity theft. Consider placing a fraud alert on your credit file, which requires businesses to verify your identity before opening new credit accounts.
Lock down student identities. Children are targets for identity theft because their credit files are unmonitored. Parents should freeze their children's credit as a preventative measure, treating school data breach notices as a prompt to act.