A breach of K-12 student information platform Infinite Campus has left personal details for roughly 137,000 school employees exposed after the ShinyHunters extortion group obtained unauthorised access to the company's Salesforce environment in March. The incident adds to a growing list of attacks targeting Salesforce deployments across multiple industries.
What happened
Infinite Campus, whose student information system is used by more than 3,200 school districts across 46 states and manages records for around 11 million students, notified customers of the breach in March. The company described the attacker in general terms at the time — characterising the perpetrator as belonging to a group with a documented pattern of targeting Salesforce accounts at hundreds of organisations — without naming ShinyHunters directly.
The company said the compromised Salesforce instance held staff directory information: names, contact details, and similar data typically published on school websites. It stated that there was no evidence the underlying customer databases had been accessed.
ShinyHunters subsequently posted a 1.2 GB archive to its data leak site, claiming the files contained Salesforce records with personally identifiable information alongside internal corporate documents. Data breach notification service Have I Been Pwned reviewed the leaked material and determined that 137,100 unique accounts were affected. The exposed fields span a broad range of contact attributes — including email addresses, phone numbers, physical addresses, job titles, employer names, usernames, and support ticket records.
Why it matters
The breach sits inside a broader pattern of Salesforce-focused attacks attributed to ShinyHunters. The group has separately claimed responsibility for campaigns that netted more than 1.5 billion records in aggregate, including incidents tied to Salesloft's Drift platform and a wider effort exploiting weaknesses in the Salesforce Aura framework across hundreds of companies. Most recently, the group announced a separate campaign targeting a zero-day in Oracle's PeopleSoft software, with more than 100 organisations said to be affected.
For the education sector specifically, the Infinite Campus breach follows the December 2024 PowerSchool incident, though the scale differs considerably. The PowerSchool compromise affected roughly 62 million students, whereas the Infinite Campus exposure is limited to staff contact data rather than student records. The individual behind the PowerSchool attack — a 19-year-old college student from Massachusetts who pleaded guilty — was sentenced to four years in prison in May 2025.
The nature of the exposed data matters for affected staff. Support ticket records, in particular, may contain more sensitive contextual information than standard directory entries, and the combination of verified email addresses, physical addresses, and employer details creates a usable dataset for spear-phishing or social engineering.
For professionals: Organisations using Salesforce — particularly those in the public-sector and education verticals — should audit which external-facing Salesforce instances store staff or customer PII, review connected-app permissions, and confirm whether multi-factor authentication is enforced on all Salesforce user accounts. The ShinyHunters campaign pattern suggests opportunistic scanning rather than targeted intrusion, meaning baseline hardening significantly reduces exposure.
What to watch
ShinyHunters has not yet faced meaningful disruption to its operations despite repeated high-profile claims. The group's pivot toward enterprise SaaS environments — Salesforce and now Oracle PeopleSoft — signals a shift away from cloud storage misconfigurations toward application-layer exploitation. Whether law enforcement action comparable to the PowerSchool sentencing materialises for ShinyHunters-linked actors remains an open question. Infinite Campus has not publicly disclosed whether it has completed a forensic review or implemented additional controls on its Salesforce environment following the incident.
Automated pipeline · Security
Synthesized from 1 industry feed on 15 Jun 2026. First draft failed editor review; a revised version was approved before publication. Style guide v1.2.
Sources
Decision trail
- Checking for duplicates — Deduped batch of 6 candidates
- Checking for duplicates — New story New breach affecting K-12 education sector via Salesforce compromise; distinct from previously covered ShinyHunters PeopleSoft campaign.
- Writing the article — Draft created article_id=47 slug=shinyhunters-breach-exposes-137-000-infinite-campus-school-staff-accounts-via-salesforce
-
Editor review — Rejected
- Factual grounding: Material: The article states the PowerSchool attacker was 'a 19-year-old from Massachusetts who pleaded guilty.' The source describes him as 'a 19-year-old college student from Massachusetts' — omitting 'college student' is a minor distortion, but more importantly the article says he 'received a four-year prison sentence in May 2025.' The source says he 'was also sentenced to 4 years in prison after a guilty plea in May 2025.' The article's phrasing implies the sentence came after a prior guilty plea mentioned earlier, whereas the source treats both as part of the same May 2025 event. This is a minor misrepresentation but traceable.
- Quote integrity: Material: The article does not use any blockquotes, so no quote integrity violation. However, the Have I Been Pwned paraphrase in the body ('confirmed exposure across 137,100 unique accounts') and the compromised-fields list closely mirror the source's sentence structure and field enumeration ('names, email addresses, employers, job titles, phone numbers, physical addresses, usernames, and support tickets' → article: 'names, email addresses, employer names, job titles, phone numbers, mailing addresses, usernames, and support ticket content'). The substitution of 'employers' with 'employer names,' 'physical addresses' with 'mailing addresses,' and 'support tickets' with 'support ticket content' is too thin a paraphrase and constitutes copied phrasing.
- No copied phrasing: Material: The sentence 'ShinyHunters has targeted many Salesforce customers over the past year, claiming to have stolen more than 1.5 billion records after breaching hundreds of companies in the Salesloft Drift hack and the Salesforce Aura campaign' in the source is closely echoed in the article: 'The group has previously claimed to have harvested more than 1.5 billion records through separate campaigns targeting Salesloft's Drift product and a broader Salesforce Aura exploitation effort spanning hundreds of companies.' This is only a light restructure with synonym substitution rather than aggressive paraphrase as required by the style guide.
- No copied phrasing: Minor: The standfirst ('The ShinyHunters extortion group targeted the Salesforce environment of K-12 student information platform Infinite Campus in March, leaking contact data for more than 137,000 school employees') closely mirrors the source's opening sentence structure and key phrase clusters. The style guide requires aggressive paraphrase.
- Style compliance — word count: Minor: Body text is approximately 710–730 words, which exceeds the hard maximum of 750 words but falls within the 701–780 minor-issue band. Borderline
- does not trigger a hard reject on its own but contributes to score reduction.
- Factual grounding: Minor: The article says Infinite Campus 'stopped short of naming a specific threat actor in its customer notifications at the time, describing the perpetrator only as a member of a group with a track record of targeting Salesforce accounts across a broad range of organizations.' The source quotes Infinite Campus as saying 'part of a group known for targeting the Salesforce accounts of hundreds of companies.' The article paraphrases 'hundreds of companies' as 'a broad range of organizations,' which softens the specificity. Not materially wrong but imprecise.
- Sources section: Minor: Only one source is listed in ## Sources. The style guide requires linking every source article. Only one source text was provided, so this is acceptable, but the article should confirm no additional sources were used.
- Writing the article — Rewritten editor-driven rewrite
-
Editor review — Approved
- No copied phrasing: Minor: 'The company said the compromised Salesforce instance held staff directory information: names, contact details, and similar data typically published on school websites' closely echoes the source's 'names and contact information for school staff' and 'directory information commonly found on school websites' — restructured but still leans on the same phrase cluster. Minor concern.
- Factual grounding: Minor: The article states the exposed fields include 'support ticket records' as a distinct category implying greater sensitivity, which is factually supported by the source ('support tickets'). However, the article's interpretive claim that 'Support ticket records, in particular, may contain more sensitive contextual information than standard directory entries' is editorial inference not present in the source. This is analysis/editorial rather than a stated fact from sources, which is a minor style issue.
- Factual grounding: Minor: The article states 'The group's pivot toward enterprise SaaS environments — Salesforce and now Oracle PeopleSoft — signals a shift away from cloud storage misconfigurations toward application-layer exploitation.' The characterisation of a 'shift away from cloud storage misconfigurations' is not supported by the source, which does not describe ShinyHunters' prior methods as cloud storage misconfigurations. This is an unsupported inferential claim.
- Factual grounding: Minor: The 'For professionals' callout states 'The ShinyHunters campaign pattern suggests opportunistic scanning rather than targeted intrusion.' The source does not characterise the campaign as opportunistic scanning
- this is editorialising beyond what the source supports.
- Style compliance: Minor: The article's word count appears to be within or near the upper range but acceptable. The 'For professionals' block is the only optional block used, which is within the two-block maximum.
- Factual grounding: Minor: The University of Nottingham is mentioned in the source as one of the Oracle PeopleSoft victims but is not referenced in the article, which is acceptable omission rather than error.
- Assigning hero image — Pexels pexels_id=30901558
- Linking related stories — Linked 2 relations from 30 candidates
- Publishing — Published shinyhunters-breach-exposes-137-000-infinite-campus-school-staff-accounts-via-salesforce
Discussion · coming soon
Be the first to join the thread when community discussion launches.