🗄️ Assets

ShinyHunters Claims Infinite Campus Breach — 11 Million Student Records at Risk

Infinite Campus, the K-12 student information system used by over 3,200 school districts across 46 US states, has warned customers of a security incident after ShinyHunters claimed to have stolen data via a Salesforce ticketing system compromise on 18 March. The company confirmed the attack lasted 38 minutes and primarily exposed school staff contact details, asserting no student database access occurred — but the threat actor's extortion deadline has passed without resolution.

3 min read
#data-breach#shinyhunters#education#salesforce#k12#student-data#extortion#social-engineering

The Incident

On 18 March 2026, attackers compromised Infinite Campus’s Salesforce customer service ticketing system through a social engineering attack. The entire active attack — from the initial phishing contact to the company locking out the attacker — lasted precisely 38 minutes. Infinite Campus confirmed multiple internal security controls flagged suspicious activity during the attack, enabling the rapid response.

Infinite Campus provides the software platform managing data for approximately 11 million students across 3,200 school districts in 46 US states. The platform is among the most widely deployed K-12 student information systems in the United States.

ShinyHunters’ Extortion Campaign

On 24 March 2026, ShinyHunters — the prolific ransomware and extortion group responsible for numerous high-profile data theft campaigns — posted a “final warning” on its dark web site, claiming to hold stolen Infinite Campus data and setting a ransom demand deadline of 25 March. Infinite Campus confirmed it would not comply with the extortion demands.

The threatened leaked dataset centres on data from the Salesforce ticketing system, which contained:

  • Names and contact details of school staff (teachers, administrators, IT personnel) — much of which is publicly available on school websites
  • Support ticket history between school district IT staff and Infinite Campus support
  • Potentially district configuration details and technical support records

What Was (and Was Not) Accessed

Infinite Campus’s investigation concluded that the attack was confined to the Salesforce ticketing environment and that no access to core student databases occurred. This distinction is significant:

  • What was accessed: Salesforce customer support system containing school staff data
  • What was not accessed (per Infinite Campus): Student records, grades, attendance data, health records, or the core SIS database platform

However, security researchers note that support ticket archives may contain sensitive technical information — configuration details, vulnerability disclosures, or credential reset requests — that could be leveraged in follow-on attacks against school districts.

Sector Context: Education Under Sustained Attack

This incident reflects a broader targeting pattern against the education sector. K-12 schools and universities are attractive to ransomware and extortion groups for several reasons:

  • Large volumes of personal data including minors’ records (creating heightened regulatory and reputational pressure)
  • Limited security resources relative to the data held
  • Distributed IT environments across many districts and campuses, making consistent patching and monitoring difficult
  • High pressure to restore services quickly (disruption affects children’s education)

ShinyHunters’ choice of an SaaS supplier — Infinite Campus — rather than individual school districts follows an increasingly common pattern of targeting the common technology providers serving many organisations simultaneously.

  1. Verify the scope of your Infinite Campus support tickets: request confirmation from Infinite Campus about whether your district’s tickets were in the accessed system, particularly if you have submitted tickets containing technical configuration details, credential information, or security disclosures
  2. Review IT staff credentials: any staff member who has interacted with Infinite Campus support should rotate passwords and verify MFA is enabled on accounts that match the email addresses present in support tickets
  3. Monitor for targeted phishing: ShinyHunters may use harvested school IT staff contact details for targeted spear-phishing against school districts — brief IT administrators and principals about this risk
  4. Audit your Salesforce and SaaS integrations: review what data flows through customer support systems across all your SaaS vendors — support tickets frequently contain more sensitive information than vendors disclose
  5. Report to CISA if you identify evidence of exploitation using data from this incident — the K-12 sector has dedicated CISA resources and reporting can help protect peer districts