ShinyHunters slipped into Infinite Campus's Salesforce instance back in March 2026 and pulled the personal records of 137,100 school staff. The gang published a 1.2GB archive on its data leak site and claimed the breach outright. Infinite Campus confirmed it—yes, the data came from a Salesforce instance—but drew one hard line: student and parent databases were untouched. The target wasn't the student data layer; it was the staff directory attached to it.
Have I Been Pwned verified the count. The dumped data mainly includes directory info—names, emails, phone numbers, addresses, job titles—that you could probably find on a school's website anyway. Think teachers, administrators, and support staff across 3,200+ districts serving 11 million students in 46 states. But again: it's a breach. And ShinyHunters isn't guessing where the weak spots are; they've turned it into a factory line.
What Actually Got Leaked
That 1.2GB archive isn't just a spreadsheet of names and emails. Have I Been Pwned broke the leak down field by field: unique names, email addresses, employers, job titles, phone numbers, physical addresses, usernames, and—here's the part that gives me pause—support tickets.
Support tickets? Yeah. Directory info is annoying when it leaks, sure, but internal support tickets can contain context: troubleshooting notes, references to other systems, access issues that staff reported to Infinite Campus. That's the kind of thing that gives attackers breathing room.
Infinite Campus's own notice to customers was precise: "Their target was the Infinite Campus Salesforce instance, consisting of names and contact information for school staff; the majority is directory information commonly found on school websites." So the lion's share of what was taken lines up with public contact info. But "the majority" isn't "all"—and the support ticket data lives right outside that safe zone.
The leak on ShinyHunters' site contains what they claim are Salesforce records with PII and internal corporate data. Keep in mind: that's the gang's word, not Infinite Campus's verification of every single field inside that file. The important detail is what they didn't claim to have: the actual student information system data. That distinction matters.
Why Salesforce Keeps Getting Pwned
This wasn't ShinyHunters' first rodeo with Salesforce customers. Over the past year, they've claimed responsibility for breaching hundreds of companies via the Salesloft Drift hack and the Salesforce Aura campaign—amassing over 1.5 billion stolen records between them.
The playbook is almost rote at this point: identify a vulnerability or misconfiguration in Salesforce-related infrastructure, move laterally at scale, and publish whatever they can monetize or leverage. They aren't hand-picking targets; they're mining the platform and sweeping up every compromised account within reach.
Recent examples bear this out: ShinyHunters weaponized a zero-day in Oracle's PeopleSoft enterprise software and hit over 100 organizations—including the University of Nottingham. Same story: one widely deployed system, exploited broadly, loot published quickly.
The Salesloft Drift campaign alone exposed data from dozens of companies that used the sales engagement platform. Salesforce Aura targeted organizations with specific configuration patterns—often smaller deployments where security hardening gets overlooked. Infinite Campus falls into that same bucket: a widely used platform, potentially with configuration gaps that ShinyHunters has been cataloging for months.
If your org runs Salesforce as a CRM or customer data platform and isn't doing continuous configuration monitoring, you're betting on the vendor to spot misconfigurations before someone like ShinyHunters does. And honestly? That's not a strategy—it's hoping the fire alarm doesn't fail.
PowerSchool: A Precedent With Very Different Fallout
The Infinite Campus breach looks a lot like the December 2024 PowerSchool hack, but the impact diverges sharply. PowerSchool's breach impacted 62 million students—directly—their SIS, their student records, everything. Infinite Campus exposed 137,100 school staff accounts: staff, not students.
The PowerSchool attacker? A 19-year-old college student from Massachusetts who pleaded guilty in May 2025 and got four years in prison. Different actor, same vector: both attacks leveraged the Salesforce infrastructure EdTech companies use for CRM and support operations.
PowerSchool's breach was devastating because it breached the student information system itself. Infinite Campus says its customer databases—where actual student records live—were never compromised. The real damage here is to staff privacy and internal corporate data, not millions of children's academic histories. That distinction matters more than people seem willing to admit.
It doesn't make the breach any less serious, but it does change how you measure risk. A staff directory leak is bad news for teachers and admins. A student record breach threatens the entire education ecosystem.
What School Districts Should Do Right Now
Affected staff members need to treat this breach like a phishing target. Their emails, phone numbers, and addresses are now in the hands of an extortion group that has repeatedly sold data to the highest bidder. Social engineering attacks targeting educators with this information won't look like generic spam—they'll be eerily specific, with real names and internal references.
Districts relying on Infinite Campus should verify whether they've been contacted. The vendor notified customers in March 2026, but if your district hasn't heard anything yet, reach out to your account rep. Remember that support ticket data: it might include your district's specific configurations, open cases, or configuration quirks that could help attackers tailor subsequent attempts.
From a security standpoint, this breach highlights something I've pushed on before: if your organization's customer data lives in Salesforce and you aren't doing continuous configuration monitoring, you're outsourcing security to hope—and ShinyHunters has made a career out of outsmarting hope.
Staff should also enable multi-factor authentication on all accounts, monitor for suspicious login attempts, and be wary of unsolicited communications referencing their employment or internal systems. The data is out there now, and while it may seem harmless on its own, combined with other breached datasets it becomes a powerful tool for targeted attacks.
The EdTech Infrastructure Is a Soft Target
EdTech companies manage some of the most sensitive data in the country: student records, health information, family addresses, academic histories. They also run on the same commercial platforms most enterprises use: Salesforce for CRM, ServiceNow for IT operations, various SIS tools for student data. When those platform layers crack, the damage ripples across hundreds of districts.
Infinite Campus serves 11 million students across more than 3,200 districts in 46 states. That's not some niche vendor—that's critical infrastructure for American education. And when ShinyHunters breaches the Salesforce instance that supports that infrastructure, it doesn't matter that they didn't hit the student database itself. Staff trust erodes. Phishing campaigns get more convincing. The 1.2GB leak becomes a permanent fixture on dark web marketplaces.
The fact that this attack mirrors the PowerSchool breach—same vector, same technique—shows a clear, repeatable path. As long as the education sector relies on commercial platforms without addressing configuration hygiene at scale, this pattern will keep replaying itself. It's not a question of if anymore. It's a question of who's next.
Sources
- Infinite Campus data breach affects 137,000 school staff accounts — BleepingComputer, June 15, 2026. All factual claims in this article trace to this source.