Infinite Campus Data Breach Exposes 137,000 School Staff Records
7 min. read 
Published on
Infinite Campus has disclosed a data breach affecting about 137,000 school staff accounts after attackers accessed data tied to the company’s Salesforce environment.
The exposed information includes names, email addresses, employers, job titles, phone numbers, physical addresses, usernames, and support tickets, according to the Have I Been Pwned breach listing.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The incident has been linked to the ShinyHunters extortion group, which claimed responsibility and published data it alleged was stolen from Infinite Campus. BleepingComputer reported that the leak contained data from 137,100 accounts.
What Infinite Campus Says Was Accessed
Infinite Campus said the attackers targeted its Salesforce instance, not its core student information system databases. The company told affected customers that the exposed information largely consisted of names and contact details for school staff.
The company also said most of the exposed data was directory information commonly found on school websites. However, collecting that information into one searchable dataset still creates a real security risk.
Support tickets are especially sensitive because they can contain operational context. Even when they do not include student records, they may reveal details about internal systems, school workflows, or account issues that attackers can reuse in phishing attempts.
| Category | Exposed data | Risk |
|---|---|---|
| Staff identity data | Names, employers, job titles, usernames | Can help attackers impersonate school employees |
| Contact data | Email addresses, phone numbers, physical addresses | Can support targeted phishing, calls, and social engineering |
| Support data | Internal support tickets | May expose technical or workflow context useful to attackers |
ShinyHunters Claimed the Breach
The breach first came to public attention in March 2026, after ShinyHunters posted a warning on its leak site. The group threatened to publish data it claimed was stolen from Infinite Campus if the company did not engage with its ransom demand.
In its earlier breach report, BleepingComputer said Infinite Campus described the intruder as part of a group known for targeting Salesforce accounts at hundreds of companies.
Infinite Campus did not name ShinyHunters in its customer notice. Still, the group later published a 1.2GB archive of documents allegedly containing Salesforce records and internal corporate data.
Have I Been Pwned Adds the Breach
The breach was added to Have I Been Pwned on June 15, 2026. The HIBP breach record says the incident affected 137.1 thousand accounts and occurred in March 2026.
Have I Been Pwned listed the compromised data as email addresses, employers, job titles, names, phone numbers, physical addresses, support tickets, and usernames.
The service also recommends that affected users change passwords where needed and enable two-factor authentication. That advice matters because attackers often combine exposed contact details with reused passwords from older breaches.
No Evidence Student Databases Were Compromised
Infinite Campus is widely used by K-12 districts in the United States, so the first concern after any breach is whether student records were exposed. The company said it has no evidence that customer databases were compromised.
BleepingComputer says the exposed data was tied to school staff and other publicly available information, based on Infinite Campus notifications and Have I Been Pwned’s analysis of the leaked dataset.
That distinction is important. A staff-data breach is still serious, but it is different from a compromise of student records, grades, attendance, or family information stored in school databases.
Why Public Directory Data Still Matters
School staff directories are often public, but attackers gain more value when they can download large, structured datasets. A single file with names, emails, phone numbers, employers, job titles, usernames, and support context makes social engineering easier.
TechRepublic reported that the breach raises phishing and SaaS security concerns, especially because the exposed records were connected to a Salesforce environment.
Attackers can use the data to send convincing messages that appear to come from a district, vendor, help desk, or school administrator. Support ticket details can make those messages feel more legitimate.
- Staff may receive fake password reset messages.
- Attackers may impersonate Infinite Campus support or district IT teams.
- Schools may see targeted phishing using real job titles or district names.
- Support ticket context may help attackers craft more believable lures.
- Phone numbers can support voice phishing or SMS phishing campaigns.
The Breach Fits a Larger Salesforce Extortion Pattern
ShinyHunters has been tied to multiple data theft and extortion campaigns targeting cloud and SaaS environments. These attacks often focus on access to business systems rather than direct attacks on a company’s main product database.
In this case, the Salesforce environment appears to have been the target. That makes the incident part of a wider problem facing schools and vendors: sensitive operational data often sits in third-party business tools outside core student systems.
TechRepublic noted that even when student records are not exposed, SaaS breaches can still create risk for schools because staff records and support information can fuel follow-on attacks.
What Affected Users Should Do
Infinite Campus users and school staff should treat unexpected messages about accounts, support tickets, payroll, HR, district systems, or student platforms with caution. Attackers may reference real names, job titles, or past support issues to build trust.
Users should also avoid reusing passwords across school, vendor, and personal accounts. If a password linked to an exposed email address was reused elsewhere, it should be changed immediately.
The practical steps are straightforward:
- Change reused passwords tied to affected email addresses.
- Enable multi-factor authentication wherever possible.
- Verify unexpected emails or calls through official district channels.
- Watch for messages that reference Infinite Campus support tickets.
- Report suspicious emails to school IT teams.
- Review account activity for unusual sign-ins or password reset attempts.
What Schools and Vendors Should Review
Schools using Infinite Campus should confirm whether their staff accounts were included in the exposed dataset. They should also warn employees about phishing attempts that may reference real district names, titles, and support details.
Vendors should review access to SaaS platforms such as Salesforce, enforce multi-factor authentication, monitor unusual exports, and limit support data exposure to the minimum needed for operations.
The breach also shows why school systems need to monitor vendor incidents even when student databases are not directly involved. Staff data, help desk information, and vendor support records can still become useful tools for attackers.
BleepingComputer’s earlier report said Infinite Campus serves more than 3,200 school districts and manages data for 11 million students in 46 states. That scale makes vendor security a major issue for the education sector.
FAQ
Attackers accessed data tied to Infinite Campus’s Salesforce environment and later leaked information affecting about 137,000 school staff accounts. The exposed data included names, email addresses, phone numbers, employers, job titles, usernames, physical addresses, and support tickets.
Have I Been Pwned lists 137.1 thousand affected accounts in the Infinite Campus breach. BleepingComputer reported that the exposed dataset contained data from 137,100 accounts.
Infinite Campus said it has no evidence that customer databases were compromised. The exposed information appears to be tied mainly to school staff names, contact details, and support tickets rather than student records.
The ShinyHunters extortion group claimed responsibility for the breach and later published data it alleged was taken from Infinite Campus.
Affected users should change reused passwords, enable multi-factor authentication, watch for phishing emails or calls, and verify any unexpected support or account messages through official school or vendor channels.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages