ShinyHunters Breaches Infinite Campus, Exposes 137,000 School Staff Accounts
The ShinyHunters extortion gang stole personal data from over 137,000 school staff accounts by breaching the Salesforce instance of Infinite Campus, a student information system used by thousands of U.S. school districts.
The ShinyHunters extortion gang stole personal information from more than 137,000 school staff accounts in a Salesforce data theft attack that targeted the widely used Infinite Campus K-12 student information system in March.
Infinite Campus is an education technology (EdTech) company that provides a student information system (SIS) to over 3,200 school districts across the United States, managing data for 11 million students in 46 states. Although it didn't attribute the incident to a specific hacking group when it notified customers of the breach in March, Infinite Campus described the attacker as "part of a group known for targeting the Salesforce accounts of hundreds of companies."
Infinite Campus also told affected customers that the exposed data contained the names and contact details for school staff and other publicly available information, but added that it had no evidence that customer databases were compromised. "Their target was the Infinite Campus Salesforce instance, consisting of names and contact information for school staff; the majority is directory information commonly found on school websites," it said.
While Infinite Campus didn't share further details about the attack, the ShinyHunters data extortion group claimed responsibility for the breach on its data leak site and leaked a 1.2GB archive of documents allegedly containing Salesforce records with personally identifiable information (PII) and other internal corporate data.
Data breach notification service Have I Been Pwned analyzed the leaked data and said today that the breach has exposed data from 137,100 accounts, including unique names, email addresses, employers, job titles, phone numbers, physical addresses, usernames, and support tickets. "The group subsequently published data they alleged was taken from Infinite Campus, containing 137k unique email addresses along with names, phone numbers, physical addresses and support tickets," Have I Been Pwned said.
The Infinite Campus incident is very similar to the December 2024 PowerSchool hack, but the impact is vastly different, given that the PowerSchool breach affected 62 million students. The hacker behind that attack, a 19-year-old college student from Massachusetts, was also sentenced to 4 years in prison after a guilty plea in May 2025.
ShinyHunters has targeted many Salesforce customers over the past year, claiming to have stolen more than 1.5 billion records after breaching hundreds of companies in the Salesloft Drift hack and the Salesforce Aura campaign. More recently, the extortion group has claimed responsibility for a new data theft campaign that exploits a zero-day vulnerability in Oracle's PeopleSoft enterprise business software suite to steal data from over 100 organizations, including the University of Nottingham.