Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Mar 28, 2026 · 6 min read

ShinyHunters Hit the School Software Used by 11 Million Students

Infinite Campus manages student records for 3,200 school districts in 46 states. ShinyHunters breached it through a single Salesforce account.

Empty school hallway with lockers and a glowing laptop on the floor

One Salesforce Account Was Enough

On March 18, 2026, an attacker gained unauthorized access to an employee's Salesforce account at Infinite Campus, the largest K-12 student information system in the United States. The company's software manages data for approximately 11 million students across 3,200 school districts in 46 states. That single compromised account was all ShinyHunters needed to get in.

Infinite Campus said its IT and security teams detected the intrusion and ousted the attacker quickly. The company stated the exposed information consisted primarily of "directory information commonly found on school websites," specifically names and contact details for school staff. No student databases were accessed, according to the company's investigation.

ShinyHunters tells a different story. The data extortion group posted a "final warning" on its dark web site, claiming to have stolen Salesforce records containing personally identifiable information and corporate data. They gave Infinite Campus until March 25 to negotiate a ransom or face a full data leak.

Infinite Campus Refused to Pay

To its credit, Infinite Campus refused to engage with ShinyHunters. The company disabled certain customer facing services, scanned the compromised Salesforce instance, and contacted affected school districts with guidance. The March 25 deadline passed without negotiation.

This response aligns with growing consensus among security professionals that paying ransoms funds further attacks without guaranteeing data deletion. As analysis of ShinyHunters' operations has shown, groups that receive payment often retain and resell the stolen data anyway.

ShinyHunters' Education Sector Campaign

The Infinite Campus breach is not an isolated incident. ShinyHunters has been systematically targeting organizations through their Salesforce instances for over a year. The group previously claimed 1.5 billion records stolen through Salesforce connected campaigns, and has compromised companies ranging from CarGurus to Harvard and UPenn.

Their playbook is consistent: compromise a single employee account at a third party service provider, exfiltrate whatever data is accessible, then threaten the victim with publication. The attack vector is not sophisticated. It does not require zero day exploits or advanced malware. It requires one set of stolen credentials and a CRM platform that trusts its users too much.

Student Data Is Uniquely Vulnerable

Even if Infinite Campus is correct that no student databases were accessed in this breach, the incident highlights how fragile the systems protecting children's data really are. Student information systems contain:

  • Personal records: names, dates of birth, addresses, parent contact information
  • Academic data: grades, test scores, disciplinary records, attendance history
  • Health information: immunization records, allergies, medical conditions, IEP documentation
  • Family data: custody arrangements, emergency contacts, household income for free lunch eligibility

Children cannot freeze their credit, monitor the dark web for their SSN, or take the protective measures adults use after a breach. Identity theft targeting minors often goes undetected for years, surfacing only when they apply for their first job or student loan. A breach of a system serving 11 million students would be catastrophic precisely because the victims cannot protect themselves.

The Third Party Problem

Infinite Campus was not breached through its own infrastructure. It was breached through Salesforce, a third party service it relies on for customer relationship management. This pattern repeats across the education sector and beyond: organizations secure their primary systems but leave third party integrations as unmonitored entry points.

School districts chose Infinite Campus to manage their student data. Infinite Campus chose Salesforce to manage its customer relationships. Neither the districts nor the parents had any visibility into or control over that second decision. When the Salesforce account was compromised, the chain of trust broke at its weakest link.

This is the same pattern that exposed HackerOne employees through their benefits administrator and compromised Crunchyroll through an Okta SSO account. The organizations holding the most sensitive data are only as secure as the least secure vendor in their supply chain.

What Parents and Schools Should Do

If your school district uses Infinite Campus:

  • Ask your district whether they were among those notified by Infinite Campus and what data may have been exposed
  • Freeze your child's credit with all three bureaus as a precaution. It is free and prevents identity theft even if their data surfaces later
  • Monitor communications from the district for updates on the breach investigation
  • Be skeptical of emails or calls referencing your child's school information, as stolen directory data is commonly used in targeted phishing

For school administrators: review what third party services have access to your student data, enforce multi factor authentication on every external platform, and demand breach notification timelines from your vendors before the next incident happens.