ShinyHunters Extorts Infinite Campus After Salesforce Breach

Infinite Campus, a student information system used by over 3,200 school districts serving 11 million students, has disclosed a data breach following an extortion attempt by ShinyHunters. The company says it won't pay the ransom.

The incident occurred on March 18, 2026, when attackers compromised an employee's Salesforce account. According to Infinite Campus's disclosure, internal security controls flagged suspicious activity the same day, enabling rapid containment.

What Was Stolen

ShinyHunters claims to have stolen Salesforce records containing personally identifiable information and internal corporate data. The group posted a "final warning" on its dark web site, giving Infinite Campus until March 25 to negotiate before leaking the data.

Infinite Campus characterized the exposure differently. The company says the compromised data primarily consists of "names and contact information for school staff; the majority is directory information commonly found on school websites."

Critically, no student databases were accessed. The affected Salesforce instance handled business operations, not the core student information system that stores grades, health records, and other sensitive student data.

ShinyHunters' Pattern

This breach fits ShinyHunters' established playbook: compromise a third-party service or internal business system, exfiltrate what they can, then demand payment under threat of public exposure. The group has previously targeted Telus and Crunchyroll through similar contractor and service provider compromises.

ShinyHunters tends to go after lower-hanging fruit rather than core databases. They've found success monetizing even limited datasets—staff directories, internal communications, business records—when organizations prioritize avoiding public embarrassment over the actual sensitivity of stolen data.

Company Response

Infinite Campus is refusing to engage with the attackers. The company also took proactive measures: temporarily disabling certain customer-facing services for districts that hadn't configured IP address restrictions, and conducting a comprehensive review of all Salesforce data that may have been accessed.

The company is contacting potentially impacted school districts with guidance, though specific recommended actions weren't detailed in public statements.

Impact Assessment

Despite serving 11 million students across 46 states, this breach's actual impact appears limited. The attack hit business systems, not the educational platform containing sensitive student records. School staff contact information—while not ideal to have leaked—is often already public through school websites and directories.

That said, the exposure creates phishing risk. Attackers who know which administrators work at which schools, along with their email addresses, can craft convincing spear-phishing campaigns targeting school IT staff. Given the ongoing wave of credential-stealing attacks targeting educational institutions, school districts should heighten awareness.

For organizations unfamiliar with how these extortion schemes work, our guide to understanding data breaches covers the typical attack lifecycle and response considerations.

Recommendations for Schools

School districts using Infinite Campus should take these steps:

1. Watch for Infinite Campus communications - Follow any guidance they provide
2. Implement IP restrictions - If you haven't already, restrict Salesforce access to approved IP ranges
3. Brief staff on phishing - Warn employees that their contact information may have been exposed
4. Review admin access - Audit who has Salesforce access and whether they still need it
5. Enable MFA everywhere - If not already in place, require multi-factor authentication for all administrative accounts

The Broader Problem

This incident highlights the risk third-party business tools pose even when core systems remain secure. Organizations often apply strong security controls to their primary platforms while neglecting CRM, support, and collaboration tools that still contain sensitive information.

ShinyHunters and similar groups have repeatedly exploited this gap. A Salesforce breach might not expose student grades, but it can still provide leverage for extortion, fuel phishing campaigns, and create headlines that damage institutional trust.

The March 25 deadline has passed. If ShinyHunters follows through on their threat, we may see whatever data they obtained become public. Schools should prepare communications for parents and staff in case that happens.