McGraw Hill Breach: 13.5M Emails & Personal Data Exposed (2026)

Overview

In April 2026, educational publishing giant McGraw Hill confirmed a critical data breach after an extortion attempt. The incident stemmed from a misconfiguration in a Salesforce-hosted webpage, which the company initially described as exposing a “limited set of data.” However, over 100GB of data was later publicly distributed, containing the personal information of approximately 13.5 million individuals.

What Was Exposed

The breach exposed a significant volume of personal information. The core dataset includes 13.5 million unique email addresses. For a substantial number of these accounts, the following additional data was also exposed, though inconsistently across records:

• Names
• Phone Numbers
• Physical Addresses

This combination creates a detailed profile for millions of students, educators, and customers.

Potential Impact

The exposure of this personal identifiable information (PII) creates multiple serious risks. With email addresses and names, victims are prime targets for highly convincing phishing and spear-phishing campaigns that can appear to come from McGraw Hill or other trusted entities. Access to phone numbers and physical addresses opens the door to vishing (voice phishing) calls, smishing (SMS phishing), and even potential physical threats like stalking or identity theft. This data can also be used for credential stuffing attacks on other sites if users have reused passwords, or be sold to data brokers for intrusive marketing.

Recommendations

Affected individuals should take immediate steps to protect themselves.

1. Beware of Phishing: Be extremely cautious of any emails, texts, or calls claiming to be from McGraw Hill, educational institutions, or financial services. Do not click links or provide additional information. Verify communications directly through official websites.
2. Enable Multi-Factor Authentication (MFA): Activate MFA on your McGraw Hill account and, crucially, on any other account where you use the same email address or password, especially email and financial accounts.
3. Monitor for Identity Theft: Be alert for unexpected mail, calls from debt collectors, or new accounts you didn’t open. Consider placing a fraud alert on your credit files with the major bureaus (Experian, TransUnion, Equifax).
4. Use Unique Passwords: Ensure your McGraw Hill account password is strong and unique. Using a password manager is highly recommended.

How to Check If You’re Affected

The breach has been reported to the free service Have I Been Pwned. You can check if your email address was included in this incident by visiting: https://haveibeenpwned.com/Breach/McGrawHill. Simply enter your email address on the site to see if it appears in this or other known breaches.

Security Insight

This breach highlights the critical security risks inherent in third-party platform configurations, a recurring theme in recent cybersecurity news. Describing the exposure of 13.5 million records and 100GB of data as “limited” demonstrates a significant disconnect between corporate communications and the real-world risk to individuals. For the education sector, which handles vast amounts of sensitive data on minors and adults alike, such misconfigurations are particularly egregious and demand stricter vendor security assessments.

Further Reading

• All Critical Breaches
• Recent Data Breaches