The student information system Infinite Campus has been confirmed as the latest victim of a ShinyHunters extortion campaign, after the group published a dataset tied to a compromised Salesforce account. According to breach notification service Have I Been Pwned (HIBP), which added the incident on June 15, 2026, the leak exposed 137,123 unique email addresses along with associated personal and professional details. The original intrusion dates to March 2026 and follows the now familiar "pay or leak" model the group has deployed against a string of major enterprises.
What Happened
In March 2026, Infinite Campus was targeted in a "pay or leak" extortion operation attributed to ShinyHunters. The attackers gained access through an employee's Salesforce account, exfiltrated data, and then pressured the company to pay before the records were made public. When the demand went unmet, the group followed through and posted the stolen dataset, later listing Infinite Campus on its dark web leak site.
The exposed data was ingested into Have I Been Pwned on June 15, 2026, formally cataloging 137,123 unique email addresses. Infinite Campus has since sent breach notifications to affected parties, confirming that an unnamed unauthorized actor accessed the compromised Salesforce account. The company has sought to frame the exposure as lower severity, noting that much of the leaked content mirrors publicly available school directory information.
What Was Taken
ShinyHunters released a dataset it claims originated from Infinite Campus. Per HIBP, the confirmed data types include:
- Email addresses
- Names
- Usernames
- Job titles
- Employers
- Phone numbers
- Physical addresses
- Support tickets
The headline figure is 137,123 unique email addresses. The records skew heavily toward school staff contact information rather than student data, and Infinite Campus maintains that the majority of the fields constitute directory information commonly published on school websites. Still, the inclusion of support tickets, usernames, and physical addresses raises the practical risk well above what a simple directory scrape would represent.
Why It Matters
This breach lands squarely within a broader wave of ShinyHunters intrusions tied to compromised Salesforce environments. In the past month alone, the group has been connected to incidents at Charter Communications, Kemper Corporation, Ameriprise Financial, 7-Eleven Inc., Woflow Inc., and Vimeo. Infinite Campus is not an isolated event but one node in a coordinated, high volume extortion campaign exploiting third party SaaS access.
For defenders, the K-12 angle is significant. Infinite Campus underpins student information management for school districts, meaning the exposed staff contacts represent a ready made target list for follow on phishing, business email compromise, and social engineering against education sector institutions that often run lean security programs. Even "directory" data becomes a weapon when paired with usernames and support ticket context that lend credibility to targeted lures.
The Attack Technique
The intrusion vector was a compromised Salesforce account belonging to an Infinite Campus employee. This aligns with ShinyHunters' established playbook of abusing legitimate SaaS credentials and connected platforms rather than exploiting novel software vulnerabilities. Once inside the Salesforce tenant, the actor accessed and exfiltrated stored contact records and support data, then moved to the extortion phase, demanding payment under threat of public disclosure before ultimately leaking the dataset on its dark web infrastructure.
The pattern across the group's recent victims points to credential theft, OAuth abuse, or social engineering targeting Salesforce as the recurring entry point, making identity and SaaS access governance the critical chokepoint.
What Organizations Should Do
- Audit and harden Salesforce access: enforce phishing resistant multi factor authentication, review connected apps and OAuth grants, and revoke unused integrations and stale credentials.
- Monitor for anomalous SaaS activity: watch for unusual bulk data exports, atypical login geographies, and access spikes within Salesforce and similar platforms.
- Treat the leaked staff data as a phishing seed: brief school and district personnel to expect targeted lures referencing real names, job titles, and support history.
- Rotate credentials and reset exposed accounts: force password changes for affected usernames and invalidate active sessions tied to the breach.
- Check exposure via HIBP: have staff and administrators confirm whether their addresses appear in the dataset and apply the guidance in the official Infinite Campus notifications.
- Review third party SaaS risk broadly: extend the same access controls and monitoring to every vendor platform holding directory or contact data, not just Salesforce.
Sources: 137K+ Infinite Campus Accounts Exposed Following ShinyHunters Data Leak - TechNadu