ShinyHunters Claims Infinite Campus Breach — 11 Million Students in the Crosshairs
The prolific threat group ShinyHunters posted a breach claim against Infinite Campus on the Tor network on March 22, 2026, threatening to leak stolen data unless the company entered negotiations by March 25. Infinite Campus is one of the largest K-12 student information systems (SIS) in the United States, serving 11 million students across 3,200 school districts in 46 states. The company confirmed unauthorized access was detected on March 18 via a compromised employee Salesforce account, but stated that no student database had been accessed — with the exposed data limited to staff contact information from support tickets.
| Attribute | Value |
|---|---|
| Threat Actor | ShinyHunters |
| Target | Infinite Campus (K-12 SIS platform) |
| Initial Access | Employee Salesforce account compromise |
| Access Detected | March 18, 2026 (afternoon) |
| Breach Claim Posted | March 22, 2026 (Tor network) |
| Negotiation Deadline | March 25, 2026 |
| Student Records Exposed | None confirmed — company denies student DB access |
| Data Confirmed Exposed | Staff names, contact info from Salesforce support tickets |
| Platform Scale | 11 million students, 3,200 districts, 46 U.S. states |
How the Breach Occurred
On the afternoon of March 18, 2026, Infinite Campus security teams detected unauthorized access to the company's environment. Forensic investigation traced the intrusion to a compromised employee Salesforce account — a vector that bypasses network perimeter defenses entirely by exploiting legitimate credentials into a trusted SaaS platform.
Salesforce environments often contain rich repositories of sensitive data: customer support ticket histories, contact records, case notes, and internal communications. In Infinite Campus's case, the exposed data reportedly included staff names and contact information from customer support tickets — information that, while not student records, could be used to conduct targeted phishing against school district IT staff or administrators.
ShinyHunters' Extortion Timeline
Four days after the initial access was detected, ShinyHunters surfaced on a Tor-based data leak forum on March 22 with a formal breach claim and an ultimatum: negotiate by March 25 or face a public data leak. This rapid escalation from breach to extortion — four days — reflects a shift in how sophisticated groups monetize intrusions. Rather than spending weeks or months in a network conducting reconnaissance, ShinyHunters has increasingly favored a grab-and-extort model that moves quickly to maximize leverage while minimizing exposure time.
Infinite Campus stated publicly that it does not believe student data was accessed, attributing the breach to Salesforce support system data only. The company did not confirm whether it engaged in any negotiation with the threat actors.
ShinyHunters: A Pattern of High-Profile Breaches
ShinyHunters is not a new name in cybersecurity circles. The group has been linked to a series of major breaches across multiple industries, including:
- TELUS Digital — employee data and source code
- Crunchyroll — user account data
- AT&T (2024) — a 73-million-record breach
- Ticketmaster (2024) — one of the largest data theft events in recent memory
The Infinite Campus intrusion fits ShinyHunters' known methodology: targeting third-party SaaS platforms or vendor access chains rather than attacking core systems directly, harvesting available data quickly, and using extortion as the primary monetization strategy.
Why K-12 Data Is Particularly Sensitive
Student information systems hold some of the most sensitive data categories that exist: names, addresses, dates of birth, grades, disciplinary records, health information, and family details. For minor children, this data cannot be easily changed if compromised, and its exposure can have consequences that last years or decades. Federal law — specifically FERPA (Family Educational Rights and Privacy Act) — governs access to and disclosure of student education records, and a confirmed student data breach would trigger mandatory notification obligations for affected school districts.
Even if Infinite Campus's claim that no student database was accessed is accurate, the incident demonstrates that the pathways into these platforms are being actively probed by sophisticated threat actors.
| Impact Area | Description |
|---|---|
| Student Records | No confirmed student data exposure per Infinite Campus |
| Staff Data | Names and contact information from Salesforce support tickets exposed |
| School Districts | 3,200 districts across 46 states potentially notified |
| Regulatory Exposure | FERPA obligations triggered if student data confirmed accessed |
| Reputational | Trust damage to a platform serving 11 million children |
| Phishing Risk | Exposed staff contacts create targeted spear-phishing opportunities |
| ShinyHunters Pattern | Part of broader campaign targeting education and SaaS providers |
Recommendations for School Districts
- Verify your district's exposure: Contact your Infinite Campus account representative directly to confirm whether your district's data appears in the confirmed exposure set.
- Alert IT administrators: Staff names and contact info from support tickets may be used to craft convincing spear-phishing emails targeting district IT staff. Increase vigilance for unusual requests or credential prompts.
- Review FERPA obligations: If Infinite Campus notifies your district of student data exposure, consult legal counsel on mandatory notification timelines for parents and guardians.
- Audit SIS access: Review which staff accounts have access to the Infinite Campus portal and ensure all accounts use strong, unique passwords with MFA enabled.
Recommendations for EdTech and SaaS Vendors
- Treat SaaS platforms as high-value attack surfaces: Salesforce, Zendesk, ServiceNow, and similar support platforms contain enough data to fuel targeted attacks — secure them accordingly.
- Enforce MFA on all employee SaaS accounts: A single compromised credential should never provide a direct path into customer data. MFA is the minimum baseline.
- Implement data classification in support systems: Not all support tickets require access to full customer records. Minimize data exposure within support workflows through role-based access and data masking.
- Conduct third-party penetration testing on SaaS integrations: The weakest link is often not your core platform — it's the connected ecosystem.
Recommendations for Parents
- Monitor for phishing: If you interact with your school district's online portals, be alert to unusual emails or login prompts. ShinyHunters' extortion model sometimes escalates to direct phishing of end users.
- Check if your child's school uses Infinite Campus: If so, ask your district what specific data is stored in the platform and whether they have received notification from Infinite Campus.
Key Takeaways
- ShinyHunters claimed a breach of Infinite Campus on March 22, 2026 — four days after unauthorized access was first detected via a compromised employee Salesforce account.
- Infinite Campus serves 11 million students across 3,200 school districts in 46 states, making it one of the most sensitive education platforms in the U.S.
- The company denies that any student database was accessed, with confirmed exposure limited to staff names and contact information from Salesforce support ticket records.
- ShinyHunters set a March 25 deadline for negotiations before threatening to leak data publicly, consistent with their rapid extortion playbook seen in previous high-profile attacks.
- The breach is part of ShinyHunters' broader campaign targeting organizations with rich SaaS footprints, including TELUS Digital and Crunchyroll.
- Even without confirmed student data exposure, the incident highlights that K-12 platforms are active targets — and that SaaS-based access chains are now a primary intrusion vector for sophisticated threat actors.