ShinyHunters Extortion Gang Breaches Infinite Campus, Exposing 137,000 School Staff Records

The ShinyHunters extortion gang has claimed responsibility for a data breach targeting Infinite Campus, a leading K-12 student information system provider serving over 3,200 school districts across the United States. The breach, which occurred in March 2026, exposed personal information from more than 137,000 school staff accounts through a Salesforce data theft attack. The compromised data included names, email addresses, job titles, phone numbers, physical addresses, usernames, and support tickets—information that Infinite Campus characterized as largely consisting of directory information commonly found on school websites.

Infinite Campus, which manages data for approximately 11 million students across 46 states, notified affected customers of the incident in March without initially attributing it to a specific threat actor. The company described the attacker only as "part of a group known for targeting the Salesforce accounts of hundreds of companies." ShinyHunters later claimed responsibility and published a 1.2GB archive of documents allegedly containing Salesforce records with personally identifiable information and other internal corporate data. Data breach notification service Have I Been Pwned analyzed the leaked dataset and confirmed it contained 137,100 unique accounts with detailed personal information.

Crucially, Infinite Campus stated it had no evidence that customer databases containing student records were compromised, limiting the breach's scope to staff information. The company emphasized that the exposed data "the majority is directory information commonly found on school websites," suggesting much of the information may have already been publicly available through school directories.

The Infinite Campus breach mirrors the December 2024 PowerSchool incident in methodology but differs significantly in scale and impact. While the PowerSchool breach affected 62 million students and resulted in the conviction and 4-year prison sentence of a 19-year-old Massachusetts college student in May 2025, the Infinite Campus breach was limited to staff contact information. ShinyHunters has demonstrated a pattern of targeting Salesforce customers, claiming to have stolen more than 1.5 billion records across multiple campaigns, including the Salesloft Drift and Salesforce Aura breaches. The group has also recently claimed responsibility for exploiting a zero-day vulnerability in Oracle's PeopleSoft suite to target over 100 organizations, including the University of Nottingham.