Infinite Campus says Salesforce account breach exposed school staff contact data
Infinite Campus, a major U.S. K-12 student information system provider, disclosed a security incident after a threat actor accessed an employee’s Salesforce account used for internal case management and ticketing and then attempted to extort the company. The company said the intrusion did not reach its student information system or customer databases, and that the data believed exposed was limited mainly to school staff names and contact details, much of it already publicly available. Threat actor ShinyHunters claimed responsibility, added Infinite Campus to its leak site, and threatened to publish allegedly stolen Salesforce records and internal corporate data if the company did not negotiate.
Infinite Campus said it disabled the compromised account, began reviewing potentially affected Salesforce data for sensitive information that may have appeared in support tickets, and is notifying districts directly if further issues are identified. As a precaution, it also disabled some customer-facing services for organizations without IP restrictions while restoration work continued. The incident drew attention across the K-12 sector, with the North Carolina Department of Public Instruction saying it was in direct contact with the company and had not confirmed any impact to the state’s system, while Infinite Campus maintained that no student data was breached.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Review of leaked files finds limited sensitive student data in support tickets
After ShinyHunters leaked data allegedly stolen from Infinite Campus, DataBreaches reviewed the tranche and found no evidence that student databases were compromised, with most files appearing proprietary or client-related. However, the review identified a small number of support tickets containing student names and some sensitive details such as disability status, discipline information, IEP dates, withdrawal information, and arrest-related reporting details.
North Carolina education officials begin monitoring the incident
North Carolina Superintendent Maurice “Mo” Green issued a bulletin on the incident, and the North Carolina Department of Public Instruction said it was in direct communication with Infinite Campus. At that time, the state said it had no confirmation that North Carolina’s system was affected.
Infinite Campus warns customers and says student data was not impacted
Infinite Campus publicly acknowledged the security incident and told customers that exposed data appeared limited to school staff names and contact information, much of it already public. The company said no student information or customer databases were breached and that it would not negotiate with the attacker.
ShinyHunters claims breach and posts Infinite Campus on leak site
ShinyHunters claimed responsibility for the intrusion, listed Infinite Campus on its dark web leak site, and threatened to release allegedly stolen Salesforce records and internal corporate data. The group set a negotiation deadline of March 25.
Infinite Campus restricts some customer-facing services as a precaution
As part of containment, Infinite Campus disabled certain customer services for organizations without IP address restrictions while support teams worked to restore them. The measure was described as precautionary during the ongoing review of potentially compromised Salesforce data.
Infinite Campus disables affected account and begins incident response
After detecting the incident, Infinite Campus immediately disabled the compromised Salesforce account and began scanning Salesforce data for sensitive information that may have been included in support tickets. The company also started notifying affected districts if additional concerns were identified.
Threat actor accesses Infinite Campus employee Salesforce account
An attacker compromised an Infinite Campus employee’s Salesforce account used for internal case management and ticketing. Infinite Campus said the intrusion did not reach its student information system or customer databases.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Thankfully, the Infinite Campus incident did not involve a lot of non-directory student information - DataBreaches.Net
databreaches.net
Open sourceInfinite Campus Security Incident Awareness: No Impact to Student Data According to Infinite Campus - DataBreaches.Net
databreaches.net
Open sourceInfinite Campus warns of breach after ShinyHunters claims data theft
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Infinite Campus Salesforce Breach Exposed 137,000 School Staff Accounts
Infinite Campus disclosed that attackers breached its Salesforce environment in March and exposed personal information linked to more than **137,000** school staff accounts. The company said the intrusion affected a system containing staff names and contact information, while stating there was no evidence its core customer databases were compromised. Infinite Campus is a major K-12 student information system provider used by more than 3,200 U.S. school districts and roughly 11 million students across 46 states. The **ShinyHunters** extortion group later claimed responsibility and published data it said was stolen in a "pay or leak" campaign. Analysis by **Have I Been Pwned** found about **137,100** affected accounts, with exposed data including names, email addresses, employers, job titles, phone numbers, physical addresses, usernames, and support tickets. Infinite Campus told affected parties that much of the exposed information consisted of school staff directory details that are often publicly available on school websites.
Jun 17, 2026
ShinyHunters Breached Canvas, Stole Student Data, and Forced Global School Outages
Instructure, the company behind the Canvas learning management system, disclosed that a criminal threat actor breached its environment and stole user data from affected educational institutions. The company said the exposed information included **names, email addresses, student ID numbers, course and enrollment details, and messages between users**, while it found no evidence that passwords, dates of birth, government identifiers, financial information, course content, or student submissions were compromised. Reporting tied the intrusion to the **ShinyHunters** extortion group, which claimed far broader impact—up to **3.65 TB** of data and roughly **275 million records** across nearly **9,000 schools**—though those figures were not independently verified. Instructure said the attackers exploited flaws in its **Free-for-Teacher** environment, brought in outside forensic experts, notified law enforcement, revoked privileged credentials and access tokens, rotated keys, patched systems, and required some customers to reauthorize API access. The incident escalated when attackers allegedly reused the same access path to deface Canvas login portals with ransom messages, prompting Instructure to temporarily take Canvas offline and suspend Free-for-Teacher accounts while it contained the activity. The outage disrupted universities and schools across the U.S., Canada, Australia, Europe, and Asia during final exams, forcing some institutions to postpone tests, extend deadlines, or block access as a precaution. Instructure later said it reached an agreement with the threat actor under which the stolen data was returned and deletion was purportedly confirmed, but the company acknowledged there is no guarantee criminals actually destroyed their copies. The breach has since triggered warnings about follow-on phishing and impersonation campaigns, lawsuits, and scrutiny from the **U.S. House Homeland Security Committee** over how the same platform was compromised twice in quick succession.
Jun 8, 2026
Canvas Breach Disrupted Schools and Exposed User Data via Free-for-Teacher Flaw
A cyberattack against Instructure’s **Canvas** platform disrupted universities and K-12 schools across the United States, with major California institutions including UC, CSU, USC, Stanford, and community colleges reporting outages and academic disruption during finals. Ransom notes attributed to **ShinyHunters** appeared on some school homepages, and the FBI said it was assisting victims in multiple states while warning students and staff not to engage with extortionists or scammers. Schools extended deadlines, changed exam schedules, and shifted to alternate communication channels as Canvas services were restored. Instructure said an unauthorized actor exploited a vulnerability tied to support tickets in its **Free for Teacher** environment, which the company temporarily disabled while conducting a broader security review. The company later confirmed unauthorized access to part of its environment and said exposed data could include usernames, email addresses, course names, enrollment information, student ID numbers, and user messages, while passwords, dates of birth, government identifiers, financial data, course content, submissions, and credentials were not compromised. The incident renewed scrutiny of centralized education technology providers after earlier education-sector extortion cases, including reports that **PowerSchool** paid a ransom following claims that data on **62 million students** had been stolen.
Jun 3, 2026