When the victim is a K-12 student information system, the first fear is always the children. Infinite Campus — the SIS used by more than 3,200 districts and roughly 11 million students across 46 states — has confirmed a breach after ShinyHunters published its data, and the most important fact is also the most reassuring one: the stolen records are school staff, not students.

That distinction has been getting lost. At least one outlet ran a headline about “137k students exposed,” and it is wrong. The leaked dataset is 137,123 unique staff accounts, and the company says there is no evidence that customer databases, student academic records, or financial data were touched.

What actually leaked

ShinyHunters posted a roughly 1.2GB archive to its leak site after Infinite Campus declined to pay. The exposed fields are staff contact and directory information: names, email addresses, phone numbers, physical addresses, employer/district, job titles, usernames, and internal support-ticket records. Infinite Campus characterizes most of it as “directory information commonly found on school websites” — which is broadly true, though the aggregation of 137,000 staff records into a single searchable archive is exactly the kind of raw material that fuels targeted phishing against schools.

What did not leak, per the company: the core SIS, student academic records, and financial data. That boundary is the whole story here.

One account, not the platform

The breach did not come through Infinite Campus’s own systems. It came through a single compromised employee Salesforce account. That account was promptly disabled after internal security controls flagged suspicious activity, but not before data was exfiltrated.

This is the signature of the ShinyHunters Salesforce campaign that has run through 2025 and 2026 — a wave of intrusions that has hit hundreds of companies by compromising Salesforce instances rather than the victims’ flagship products. We’ve tracked it from the enterprise vishing campaign that turned help-desk calls into Salesforce breaches through named victims like Charter Spectrum and Cushman & Wakefield. Several outlets report a vishing element to the Infinite Campus intrusion — a voice-phishing call leading to account takeover — but that specific detail is not confirmed in the company’s own statement, which only references suspicious activity caught by internal controls. It is consistent with ShinyHunters’ known tradecraft, not established fact for this incident.

The timeline and the refusal

The intrusion happened on March 18, 2026 and was detected the same day. ShinyHunters set a March 25 deadline to negotiate. Infinite Campus, per CEO Charlie Kratsch, refused to pay — and the data sat until the group published it around June 15, the standard ShinyHunters punishment for non-payment.

Refusing extortion is the defensible call, and increasingly the expected one. But it comes with a guaranteed cost: the data goes public, and the staff in that archive now live with the exposure. The contrast with Instructure, which paid ShinyHunters over the Canvas breach and got “data destruction” promises in return, shows the two paths the education sector keeps having to choose between — neither of them good.

Why education keeps getting hit

Infinite Campus is the latest entry in a relentless run against the sector. Schools and edtech vendors sit on dense identity data, run sprawling vendor ecosystems, and have historically under-invested in security relative to what they hold — the same combination we’ve documented across the deepening crisis in school cybersecurity and the ShinyHunters breach of the Instructure Canvas platform that exposed hundreds of millions of student records.

The lesson Infinite Campus offers is narrower and more useful than “schools are targets.” It is that a single SaaS account is now a sufficient breach surface. The student database was never touched; a salesperson’s Salesforce login was enough to produce a 137,000-record leak and a public extortion post. Segmenting third-party SaaS, enforcing phishing-resistant MFA, and hardening the help desk against social engineering are no longer optional controls for organizations of this scale.

For affected staff

If you are a school employee whose district uses Infinite Campus, assume your contact details are in the archive and expect targeted phishing that references your real role, district, and email. Be skeptical of any “Infinite Campus” or “IT support” message asking you to log in or verify credentials, and report suspicious contact to your district’s security team.

Sources