Infinite Campus Breach Exposes 137,000 School Staff Records

Key Takeaways

• ShinyHunters stole 137,000 school staff records from Infinite Campus via a Salesforce attack in March 2026
• Exposed data includes names, emails, phone numbers, physical addresses, job titles, and support tickets
• The breach highlights ongoing third-party vendor security risks in education technology

ShinyHunters, the data extortion gang behind several high-profile Salesforce breaches, has claimed responsibility for stealing personal information from 137,000 school staff accounts at Infinite Campus. The attack, which occurred in March 2026, targeted the company's Salesforce instance rather than its core student databases.

Infinite Campus provides student information systems to over 3,200 school districts across the United States. The platform manages data for 11 million students in 46 states, making it one of the most widely used K-12 EdTech platforms in the country.

What Data Was Stolen

Have I Been Pwned, the breach notification service, analyzed the leaked data and confirmed the scope. The 1.2GB archive published by ShinyHunters contains 137,100 unique accounts with the following information:

• Names and email addresses
• Phone numbers and physical addresses
• Employer names and job titles
• Usernames
• Support ticket records

Infinite Campus downplayed the severity in its customer notification, stating that the exposed data "largely consisted of names and contact information for school staff" and that "the majority is directory information commonly found on school websites."

How the Attack Happened

The breach targeted Infinite Campus's Salesforce instance, not its student information databases. In its March notification to customers, the company described the attacker as "part of a group known for targeting the Salesforce accounts of hundreds of companies."

This attack pattern matches ShinyHunters' recent campaigns. The group has claimed to have stolen more than 1.5 billion records from Salesforce customers over the past year, including breaches tied to the Salesloft Drift hack and the Salesforce Aura campaign.

“Their target was the Infinite Campus Salesforce instance, consisting of names and contact information for school staff; the majority is directory information commonly found on school websites.”

— Infinite Campus, customer notification

Infinite Campus said it found no evidence that customer databases containing student records were compromised. The company did not disclose how attackers gained access to its Salesforce account.

Comparison to PowerSchool Breach

The Infinite Campus incident follows a similar pattern to the December 2024 PowerSchool hack, though the scale differs significantly. The PowerSchool breach affected 62 million students, making it one of the largest EdTech breaches on record.

The hacker behind the PowerSchool attack, a 19-year-old college student from Massachusetts, was sentenced to 4 years in prison after pleading guilty in May 2025. ShinyHunters operates as an organized extortion group and has not faced similar consequences.

Third-Party Vendor Risk in Education

Security professionals on Reddit and Hacker News pointed to the breach as another example of third-party vendor risk in educational institutions. The consensus: even "less sensitive" internal tools like CRM systems require strict access controls.

School districts often lack the security resources of large enterprises but handle similarly sensitive data. A compromised staff directory might seem low-risk, but phone numbers, emails, and support tickets can enable phishing attacks and social engineering against school systems.

What Affected Districts Should Do

1. Check Have I Been Pwned to confirm which staff accounts were exposed
2. Force password resets for any accounts using the same credentials elsewhere
3. Enable MFA on all SaaS integrations, including Salesforce
4. Implement IP-based access controls for administrative tools
5. Train staff to recognize phishing attempts using their leaked information

Have I Been Pwned has added the Infinite Campus breach to its database. Affected individuals can check whether their email appears in the leaked data.

Frequently Asked Questions

Was student data exposed in the Infinite Campus breach?

No. Infinite Campus said customer databases containing student records were not compromised. The breach affected the company's Salesforce instance, which stores staff contact information and support tickets.

How many school districts use Infinite Campus?

Infinite Campus serves over 3,200 school districts across 46 states, managing data for approximately 11 million students.

Who is ShinyHunters?

ShinyHunters is a data extortion gang that has targeted hundreds of Salesforce customers over the past year, claiming to have stolen more than 1.5 billion records across multiple campaigns.

How can I check if my data was exposed?

Visit Have I Been Pwned (haveibeenpwned.com) and enter your email address. The service has added the Infinite Campus breach to its database.

Is this related to the PowerSchool breach?

No. While both involve K-12 EdTech companies, the PowerSchool breach in December 2024 was a separate incident by a different attacker, affecting 62 million students.

Source: BleepingComputer