Infinite Campus Issues Data Breach Warning After ShinyHunters Extortion Attempt

Infinite Campus, a leading provider of student information systems for K-12 schools across the United States, has formally notified its customers of a security incident involving unauthorized access to an internal system. The disclosure follows an extortion demand issued by the data-theft group known as ShinyHunters.

Timeline of the Incident

The breach was detected on the afternoon of March 18, 2026, when an unauthorized actor gained access to an Infinite Campus employee's Salesforce account. Salesforce serves as the company's internal case management and ticketing platform rather than its core student information system. Security teams identified the intrusion promptly and disabled the compromised account immediately to contain the incident.

Following the detection, Infinite Campus engaged external cybersecurity experts to conduct a thorough forensic investigation. The company has emphasized that the affected system did not include the primary student information system used by school districts nationwide.

Nature of the Exposed Data

According to the official customer notification, the compromised Salesforce instance primarily contained contact information and directory-style records related to school staff members. This data consists largely of names and contact details that are routinely made available on many district and school websites as public directory information.

Infinite Campus has repeatedly assured customers that no student records were accessed or exfiltrated during the incident. This includes student grades, attendance data, health information, family contact details stored in the core system, and any other sensitive pupil information. Several state education departments, such as North Carolina's Department of Public Instruction, have echoed this confirmation in communications shared with local school districts.

ShinyHunters Extortion Claims

ShinyHunters first posted its claim on a dark web leak site around March 22, 2026, asserting that it had obtained Salesforce records containing personally identifiable information along with various internal corporate data. The group issued a final warning, setting a deadline of March 25, 2026, for Infinite Campus to initiate contact and negotiate payment to prevent the public release of the allegedly stolen files.

In its public statements on the leak site, ShinyHunters suggested the volume of data was substantial and threatened additional operational disruptions if demands were not met. However, Infinite Campus has maintained that the actual exposure remains limited and has refused to engage with the threat actors or pay any form of ransom.

Company Response and Mitigation Steps

In response to the incident, Infinite Campus took immediate precautionary measures by temporarily disabling certain customer-facing services for users who did not have IP address restrictions in place. This step was implemented to further minimize any risk of additional unauthorized access while the investigation continued.

Some school districts reported minor disruptions to support ticket processing and related administrative functions as a result of these restrictions. Core functionalities of the student information system itself remained fully operational throughout the period. The company has stated that these limitations were lifted as the situation stabilized.

Broader Context and Implications for K-12 Education

Infinite Campus supports millions of students and thousands of school districts nationwide, playing a central role in daily administrative operations for attendance tracking, grading, scheduling, and parent communications. The incident underscores the growing targeting of education technology providers by financially motivated threat groups seeking to exploit internal business tools such as customer relationship management platforms.

Although the compromised data appears to be of low sensitivity in this case, the event highlights vulnerabilities in third-party cloud services commonly integrated into enterprise environments. Salesforce, widely used for internal operations across many industries, has faced similar opportunistic attacks in recent months, prompting increased scrutiny of account security configurations and access controls.

Recommendations Issued to Affected Districts

School administrators receiving the notification have been advised to review internal staff directories and remain alert for potential follow-on phishing or social engineering campaigns that could leverage publicly available contact information. Districts are encouraged to reinforce multi-factor authentication policies for all cloud-based systems and to audit employee access privileges regularly.

Additional guidance includes maintaining updated incident response plans that prioritize rapid detection, containment, and transparent communication with stakeholders. Education leaders are also reminded that even directory information can be weaponized in targeted attacks if not handled with appropriate caution.

Current Status of the Investigation

As of March 24, 2026, Infinite Campus continues its comprehensive investigation into the root cause of the unauthorized access. The company is collaborating with law enforcement authorities and specialized cybersecurity firms to strengthen defenses and prevent similar incidents in the future. Further updates will be provided to customers if new details emerge that could impact school operations or data security.

This event serves as a reminder of the persistent cyber risks facing the education sector, where reliance on cloud platforms for both administrative efficiency and instructional support continues to expand rapidly.