ShinyHunters Strikes K-12 Education Sector
The notorious ShinyHunters extortion gang has claimed responsibility for a significant data breach targeting Infinite Campus, one of the most widely deployed K-12 student information systems in the United States. The attackers stole personal information from more than 137,000 school staff accounts by exploiting a Salesforce data theft vulnerability discovered and leveraged in March 2026.
Infinite Campus serves thousands of school districts across the country, managing student records, grades, attendance, and staff data for millions of users — making it a high-value target for threat actors pursuing large-scale data extortion campaigns.
Attack Vector: Salesforce Exploitation
The breach leveraged unauthorized access to Infinite Campus systems via Salesforce, the customer relationship management platform used by the company. ShinyHunters has developed a pattern of exploiting Salesforce infrastructure to extract data at scale, with this attack following similar campaigns against other large enterprise organizations.
The attackers gained access to staff account data in March 2026, with the breach being publicly disclosed and confirmed in June following the extortion group's claims. The delay between compromise and disclosure is common in extortion-driven breaches, where attackers often use the stolen data as leverage in ransom negotiations.
What Data Was Exposed
While Infinite Campus has not released a full accounting of the stolen data fields, breaches of this type targeting SIS (Student Information System) platforms and associated CRM records typically expose:
- Full names of school staff members
- Email addresses (institutional and potentially personal)
- Phone numbers and contact information
- Job titles and district/school affiliations
- Account credentials or partial authentication data
With over 137,000 affected staff accounts, the breach represents one of the larger education sector incidents of 2026, raising concerns about downstream phishing and social engineering attacks targeting school employees.
ShinyHunters: Prolific Extortion Threat Actor
ShinyHunters has been one of the most active data extortion groups operating in 2025 and 2026. The group has claimed breaches against:
- Infinite Campus (K-12, 137K accounts — June 2026)
- ADT (55 million customers — April 2026)
- Medtronic (healthcare, 9 million records — April 2026)
- Canvas/Instructure (365 TB data extortion — May 2026)
- Telus Digital and multiple other organizations
The group typically gains access through third-party platforms, cloud services, or SaaS provider vulnerabilities rather than direct attacks on target organizations, making perimeter defenses less effective.
Impact on School Districts
School districts and education institutions that rely on Infinite Campus for staff management should take immediate action:
- Reset staff credentials for all accounts associated with Infinite Campus, particularly those using reused passwords.
- Enable MFA on Infinite Campus portals and associated email accounts if not already active.
- Alert staff to expect increased phishing attempts using their professional information.
- Review access logs for anomalous sign-ins or API activity in March–June 2026.
- Monitor for credential stuffing attacks on school email and systems using the exposed accounts.
Recommendations
Education IT teams should treat this breach as a reminder that SaaS and CRM platforms used by their vendors represent an indirect attack surface. Supply-chain awareness — knowing which third-party platforms hold your organization's data — is critical to understanding and managing risk.
The education sector has become a favored target for extortion groups due to limited security budgets, large volumes of personal data, and the reputational pressure on institutions to avoid public embarrassment during the school year.
Source: BleepingComputer. Published June 15, 2026.