Infinite Campus says Salesforce account breach exposed school staff contact data
Infinite Campus, a major U.S. K-12 student information system provider, disclosed a security incident after a threat actor accessed an employee’s Salesforce account used for internal case management and ticketing and then attempted to extort the company. The company said the intrusion did not reach its student information system or customer databases, and that the data believed exposed was limited mainly to school staff names and contact details, much of it already publicly available. Threat actor ShinyHunters claimed responsibility, added Infinite Campus to its leak site, and threatened to publish allegedly stolen Salesforce records and internal corporate data if the company did not negotiate.
Infinite Campus said it disabled the compromised account, began reviewing potentially affected Salesforce data for sensitive information that may have appeared in support tickets, and is notifying districts directly if further issues are identified. As a precaution, it also disabled some customer-facing services for organizations without IP restrictions while restoration work continued. The incident drew attention across the K-12 sector, with the North Carolina Department of Public Instruction saying it was in direct contact with the company and had not confirmed any impact to the state’s system, while Infinite Campus maintained that no student data was breached.
Timeline
Mar 28, 2026
Review of leaked files finds limited sensitive student data in support tickets
After ShinyHunters leaked data allegedly stolen from Infinite Campus, DataBreaches reviewed the tranche and found no evidence that student databases were compromised, with most files appearing proprietary or client-related. However, the review identified a small number of support tickets containing student names and some sensitive details such as disability status, discipline information, IEP dates, withdrawal information, and arrest-related reporting details.
Mar 25, 2026
North Carolina education officials begin monitoring the incident
North Carolina Superintendent Maurice “Mo” Green issued a bulletin on the incident, and the North Carolina Department of Public Instruction said it was in direct communication with Infinite Campus. At that time, the state said it had no confirmation that North Carolina’s system was affected.
Mar 24, 2026
Infinite Campus warns customers and says student data was not impacted
Infinite Campus publicly acknowledged the security incident and told customers that exposed data appeared limited to school staff names and contact information, much of it already public. The company said no student information or customer databases were breached and that it would not negotiate with the attacker.
Mar 24, 2026
ShinyHunters claims breach and posts Infinite Campus on leak site
ShinyHunters claimed responsibility for the intrusion, listed Infinite Campus on its dark web leak site, and threatened to release allegedly stolen Salesforce records and internal corporate data. The group set a negotiation deadline of March 25.
Mar 24, 2026
Infinite Campus restricts some customer-facing services as a precaution
As part of containment, Infinite Campus disabled certain customer services for organizations without IP address restrictions while support teams worked to restore them. The measure was described as precautionary during the ongoing review of potentially compromised Salesforce data.
Mar 24, 2026
Infinite Campus disables affected account and begins incident response
After detecting the incident, Infinite Campus immediately disabled the compromised Salesforce account and began scanning Salesforce data for sensitive information that may have been included in support tickets. The company also started notifying affected districts if additional concerns were identified.
Mar 24, 2026
Threat actor accesses Infinite Campus employee Salesforce account
An attacker compromised an Infinite Campus employee’s Salesforce account used for internal case management and ticketing. Infinite Campus said the intrusion did not reach its student information system or customer databases.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Sources
Related Stories
Instructure discloses cyber incident affecting Canvas services
Instructure, the U.S. education technology company behind the **Canvas** learning platform, disclosed that it recently suffered a cybersecurity incident involving a criminal threat actor and has engaged outside forensic experts to investigate the scope and impact. The company said it is still determining what systems or data were affected and has not yet confirmed whether service disruptions beginning May 1—including maintenance affecting **Canvas Data 2**, **Canvas Beta**, and tools dependent on API keys—are directly tied to the incident. The disclosure comes as education technology providers face sustained targeting because they hold large volumes of student and teacher information. Reporting around the incident notes that Instructure had already disclosed a separate **Salesforce-related** breach in September 2025 linked to social engineering, while external leak-site style listings have also associated the company with **ShinyHunters** claims that remain unverified. The latest incident also follows other major school technology breaches, including **PowerSchool** and **Infinite Campus**, underscoring continued pressure on the sector.
Today
McGraw Hill breach exposed 13.5 million accounts after Salesforce webpage misconfiguration
McGraw Hill confirmed that attackers accessed a limited set of internal data through a misconfigured Salesforce-hosted webpage, after the **ShinyHunters** extortion group claimed responsibility and threatened to publish stolen information unless a ransom was paid. The company said the incident was tied to a broader issue affecting multiple organizations using Salesforce-hosted environments and maintained that its Salesforce accounts, customer databases, courseware, internal systems, Social Security numbers, financial account information, and student data from its educational platforms were not impacted. After the extortion deadline passed, data tied to **13.5 million** McGraw Hill user accounts was reportedly leaked publicly, with **Have I Been Pwned** saying the dump contained more than **100GB** of files, including unique email addresses and some names, physical addresses, and phone numbers. The leak contradicted earlier company statements that the exposed data was limited and non-sensitive, while ShinyHunters separately claimed to hold **45 million** Salesforce records; McGraw Hill said it secured the affected webpages, brought in external cybersecurity experts, and is working with Salesforce to strengthen protections.
2 days ago
PowerSchool SIS Breach Exposed Student and Staff Data
PowerSchool disclosed a security incident affecting its Student Information System (SIS), a platform widely used by K-12 school districts to manage student records, enrollment, attendance, grades, and related administrative data. Reporting on the breach indicates attackers accessed sensitive information stored in SIS environments, with exposed data potentially including student and staff names, contact details, dates of birth, Social Security numbers, medical information, and other school records, depending on the district. The incident raised broad concern across the education sector because a compromise of a centralized SIS provider can affect many districts at once and expose minors' data alongside employee information. Public coverage and PowerSchool's incident communications indicate the company moved to investigate and notify affected customers, while schools and families were urged to review breach notices, monitor for identity theft, and assess the long-term privacy impact of the exposure of highly sensitive educational records.
4 days ago