McGraw Hill Breach: 13.5M Emails & Personal Data Exposed (2026)

Overview

On April 14, 2026, education publisher McGraw Hill confirmed a data breach affecting over 13.5 million individuals. The breach originated from a misconfigured Salesforce webpage that exposed a database of user information. Initially reported as a limited incident, more than 100GB of data was later published online after an extortion attempt. The breach has been added to Have I Been Pwned, confirming the massive scale. This is one of the largest education-sector breaches in recent years, directly impacting students, educators, and institutional customers who used McGraw Hill’s online learning platforms.

What Was Exposed

The exposed dataset includes 13,500,136 records containing:

• Email Addresses - Primary login credential for most accounts, enabling phishing and account takeover attempts.
• Full Names - Exposes user identity, making social engineering attacks more convincing.
• Phone Numbers - Increases risk of SMS-based phishing (smishing) and spam calls.
• Physical Addresses - Potentially hazardous for students and educators whose home addresses were tied to their accounts.

No financial data, passwords, or Social Security numbers were reported exposed, but the combination of name, email, phone, and address is sufficient for targeted phishing campaigns and identity theft preparation.

How the Breach Happened

McGraw Hill attributed the breach to a Salesforce misconfiguration - a cloud infrastructure error that left a webpage accessible to unauthorized parties. Specifically, a Salesforce site exposed a database of user profiles without proper access controls. This falls under the category of cloud misconfiguration, a leading cause of data breaches in 2025 and 2026. Attackers likely discovered the exposed endpoint through automated scanning tools that crawl the internet for misconfigured databases. After McGraw Hill failed to pay an extortion demand, the attackers released the full dataset publicly.

Who’s Actually Affected

The breach primarily affects McGraw Hill customers who created accounts on its learning platforms, including:

• College and university students using McGraw Hill Connect or ALEKS
• K-12 educators and students using McGraw Hill classroom tools
• Institutional administrators who managed school accounts

Because McGraw Hill’s services are integrated into many school systems, the breach may have ripple effects - schools themselves may face compliance issues under FERPA (Family Educational Rights and Privacy Act) for exposing student data.

What to Do Right Now

1. Check if you’re affected: Visit Have I Been Pwned and enter your email address. If your email appears in this breach, proceed with the steps below.
2. Watch for phishing emails: Scammers now have your email, name, and address. Expect fraudulent messages pretending to be from McGraw Hill offering “account recovery” or “compensation.” Never click links in unsolicited emails.
3. Enable multi-factor authentication (MFA) on your primary email account. Even though passwords weren’t exposed, attackers can use your email to reset passwords on other services.
4. Lock down your phone number: Set your phone number to private in your account settings. Consider using a virtual number for secondary accounts.
5. Monitor for identity theft: Check your credit reports at AnnualCreditReport.com for any unauthorized accounts opened in your name.

Security Insight

This breach highlights a dangerous pattern: cloud misconfigurations continue to be the most preventable yet most exploited vulnerability in enterprise security. McGraw Hill’s statement that “a limited set of data” was exposed stands in stark contrast to the 13.5 million records and 100GB of data later dumped online - a classic case of underestimating breach scope. In the education sector, where sensitive student data is regulated by FERPA, this breach underscores why institutions must demand third-party vendor security audits. Schools using McGraw Hill products should now pressure the company for a detailed post-mortem and consider whether their data governance policies are sufficient to protect students when vendors fail.

Further Reading

• All Critical Breaches
• Recent Data Breaches