Infinite Campus Salesforce Breach Exposed 137,000 School Staff Accounts
Infinite Campus disclosed that attackers breached its Salesforce environment in March and exposed personal information linked to more than 137,000 school staff accounts. The company said the intrusion affected a system containing staff names and contact information, while stating there was no evidence its core customer databases were compromised. Infinite Campus is a major K-12 student information system provider used by more than 3,200 U.S. school districts and roughly 11 million students across 46 states.
The ShinyHunters extortion group later claimed responsibility and published data it said was stolen in a "pay or leak" campaign. Analysis by Have I Been Pwned found about 137,100 affected accounts, with exposed data including names, email addresses, employers, job titles, phone numbers, physical addresses, usernames, and support tickets. Infinite Campus told affected parties that much of the exposed information consisted of school staff directory details that are often publicly available on school websites.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
ShinyHunters names additional education-sector victims
On 2026-06-16, ShinyHunters announced new victims including Glendale Community College, Moody Bible Institute, Illinois Central College, and Houston City College. The disclosure expanded the scope of the education-sector extortion activity beyond the previously documented Infinite Campus incident.
Have I Been Pwned adds Infinite Campus breach analysis
Have I Been Pwned analyzed the leaked dataset and reported 137,100 affected accounts tied to the Infinite Campus breach. The analysis found exposed records containing names, email addresses, employers, job titles, phone numbers, physical addresses, usernames, and support tickets.
Infinite Campus notifies affected parties about exposed staff data
Infinite Campus issued notifications stating that the exposed information largely consisted of names and contact information for school staff, and that much of it was directory information commonly available on school websites.
ShinyHunters publishes alleged Infinite Campus data
After the breach, ShinyHunters published data it claimed was stolen from Infinite Campus. Reported exposed data included about 137,000 unique email addresses along with names, phone numbers, physical addresses, usernames, and support tickets.
Infinite Campus Salesforce environment breached
In March 2026, Infinite Campus said an attacker targeted its Salesforce environment as part of a ShinyHunters "pay or leak" extortion campaign. The company stated the exposed information was largely school staff names and contact information, and said there was no evidence customer databases were compromised.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
EdTech Faces a Cybersecurity Crisis: Data Breaches Surge - Security Affairs
securityaffairs.com
Open sourceInfinite Campus Data Breach Exposes 137,000 Users Personal Details
cybersecuritynews.com
Open sourceInfinite Campus data breach affects 137,000 school staff accounts
bleepingcomputer.com
Open sourceHave I Been Pwned: Infinite Campus Data Breach
haveibeenpwned.com
Open sourceInfinite Campus Incident : r/k12sysadmin
reddit.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Infinite Campus says Salesforce account breach exposed school staff contact data
Infinite Campus, a major U.S. K-12 student information system provider, disclosed a security incident after a threat actor accessed an employee’s **Salesforce** account used for internal case management and ticketing and then attempted to extort the company. The company said the intrusion did **not** reach its student information system or customer databases, and that the data believed exposed was limited mainly to school staff names and contact details, much of it already publicly available. Threat actor **ShinyHunters** claimed responsibility, added Infinite Campus to its leak site, and threatened to publish allegedly stolen Salesforce records and internal corporate data if the company did not negotiate. Infinite Campus said it disabled the compromised account, began reviewing potentially affected Salesforce data for sensitive information that may have appeared in support tickets, and is notifying districts directly if further issues are identified. As a precaution, it also disabled some customer-facing services for organizations without IP restrictions while restoration work continued. The incident drew attention across the K-12 sector, with the North Carolina Department of Public Instruction saying it was in direct contact with the company and had not confirmed any impact to the state’s system, while Infinite Campus maintained that **no student data was breached**.
Mar 28, 2026
McGraw Hill breach exposed 13.5 million accounts after Salesforce webpage misconfiguration
McGraw Hill confirmed that attackers accessed a limited set of internal data through a misconfigured Salesforce-hosted webpage, after the **ShinyHunters** extortion group claimed responsibility and threatened to publish stolen information unless a ransom was paid. The company said the incident was tied to a broader issue affecting multiple organizations using Salesforce-hosted environments and maintained that its Salesforce accounts, customer databases, courseware, internal systems, Social Security numbers, financial account information, and student data from its educational platforms were not impacted. After the extortion deadline passed, data tied to **13.5 million** McGraw Hill user accounts was reportedly leaked publicly, with **Have I Been Pwned** saying the dump contained more than **100GB** of files, including unique email addresses and some names, physical addresses, and phone numbers. The leak contradicted earlier company statements that the exposed data was limited and non-sensitive, while ShinyHunters separately claimed to hold **45 million** Salesforce records; McGraw Hill said it secured the affected webpages, brought in external cybersecurity experts, and is working with Salesforce to strengthen protections.
May 3, 2026
ShinyHunters Defaces Canvas Login Portals in Instructure Extortion Attack
ShinyHunters defaced **Canvas** login portals used by hundreds of colleges and universities after claiming a second compromise of Instructure, the education technology company behind the platform. The attackers displayed ransom messages on school login pages and in the Canvas app, threatening to leak stolen student and staff data unless Instructure entered negotiations by **May 12**. Reports said roughly **330 institutions** saw the defacement, which was linked to an injected HTML file and forced Instructure to take parts of Canvas offline while investigating. The disruption hit during a critical academic period, causing login failures, coursework interruptions, and warnings from universities about phishing and delayed assignments. The defacement followed Instructure’s earlier disclosure that attackers had stolen data tied to thousands of schools using Canvas. ShinyHunters claimed the haul included hundreds of millions of records from nearly **9,000 schools and education platforms**, including user records, private messages, and enrollment data obtained through Canvas export features and APIs. Instructure said stolen information included certain identifying data and user messages, but that it found no evidence of exposure of passwords, dates of birth, government identifiers, or financial information. Subsequent reporting said the intrusion was tied to an issue involving **Free-for-Teacher** accounts, those accounts were temporarily shut down, affected organizations were notified, and Instructure later said it paid the extortionists, received the data back, and obtained confirmation that the stolen files were destroyed.
May 10, 2026