Infinite Campus data breach affects 137,000 school staff accounts

At a glance:

• Over 137,000 school staff accounts compromised in Salesforce data theft attack
• ShinyHunters extortion group claimed responsibility, leaking 1.2GB of internal documents
• Exposed data includes PII, support tickets, and contact details; no student database access confirmed

What happened

Infinite Campus, a leading education technology (EdTech) company serving over 3,200 U.S. school districts, confirmed a data breach in March 2025 that exposed personal information from more than 137,000 school staff accounts. The breach targeted the company's Salesforce instance, which stores names, contact details, and other publicly available information. While Infinite Campus initially did not name the attackers, it later acknowledged the incident was linked to a group known for compromising Salesforce accounts across multiple organizations.

The ShinyHunters extortion gang, which has a history of targeting enterprise software platforms, claimed responsibility for the attack. They leaked a 1.2GB archive of documents allegedly containing Salesforce records with personally identifiable information (PII) and internal corporate data. This included unique names, email addresses, employers, job titles, phone numbers, physical addresses, usernames, and support tickets. Despite the breach, Infinite Campus stated there was no evidence of unauthorized access to customer databases.

Who is affected

The breach impacts school staff members whose data was stored in Infinite Campus's Salesforce system. According to Have I Been Pwned, the leaked data encompasses 137,100 unique accounts, primarily consisting of directory information commonly found on school websites. This includes educators, administrators, and other personnel across 46 states where Infinite Campus operates. The company serves 11 million students through its student information system (SIS), though the breach did not directly compromise student data.

Affected individuals may face risks such as phishing attempts or identity theft, given the exposure of contact details and job-related information. Schools using Infinite Campus are advised to review their security protocols and notify staff about potential vulnerabilities. The incident underscores the growing cybersecurity challenges facing educational institutions, which increasingly rely on third-party platforms for administrative functions.

The attackers

ShinyHunters has emerged as a significant threat actor in recent years, targeting Salesforce customers through tactics like credential theft and exploiting vulnerabilities in enterprise software. In this case, the group specifically focused on Infinite Campus's Salesforce instance, which is used for managing staff communications and support. Their leak site, which operates as a data extortion platform, has become a hub for publishing stolen records from high-profile breaches.

The group's broader campaign includes the Salesloft Drift hack and the Salesforce Aura campaign, where they allegedly stole over 1.5 billion records from hundreds of companies. More recently, ShinyHunters has pivoted to exploiting a zero-day vulnerability in Oracle's PeopleSoft enterprise software suite, targeting over 100 organizations, including the University of Nottingham. This pattern highlights their adaptability in leveraging both known and unknown security gaps for large-scale data theft.

Broader context

The Infinite Campus breach echoes the December 2024 PowerSchool hack, which affected 62 million students and led to a four-year prison sentence for the 19-year-old perpetrator. While both incidents targeted EdTech platforms, the scale and nature of the data at risk differ significantly. PowerSchool's breach had direct implications for student privacy, whereas Infinite Campus's incident primarily exposed staff information.

These attacks reflect a rising trend of cybercriminals targeting educational institutions, which often lack the resources of larger corporations to defend against sophisticated threats. The use of Salesforce as an attack vector also demonstrates how third-party platforms can become entry points for broader breaches, even when core systems remain uncompromised.

What to watch next

Infinite Campus has not disclosed specific remediation steps beyond its initial notifications, leaving questions about how it plans to secure its Salesforce instance and prevent future breaches. Security experts are likely to scrutinize the company's incident response and whether it will adopt more robust monitoring tools, such as breach and attack simulation platforms like Picus Security, to detect vulnerabilities proactively.

Meanwhile, ShinyHunters' ongoing campaigns against enterprise software vendors suggest that similar breaches could emerge in the near future. Organizations using Salesforce, PeopleSoft, or other widely adopted platforms should review their access controls and consider multi-layered security strategies to mitigate risks from both known and zero-day threats.

Why it matters

The breach underscores the critical need for EdTech providers to prioritize cybersecurity, especially as they handle sensitive data for millions of users. While Infinite Campus emphasized that exposed data was largely public, the incident reveals how even non-sensitive information can be weaponized for social engineering attacks. Schools and districts must remain vigilant in updating their security practices and training staff to recognize potential threats.

For investors and stakeholders, the breach serves as a reminder of the reputational and financial risks tied to data security in the education sector. As regulatory scrutiny around student and staff data protection increases, companies like Infinite Campus will face mounting pressure to demonstrate robust security measures and transparent incident reporting.