Infinite Campus says attackers compromised its Salesforce environment and leaked records tied to more than 137,000 school staff accounts, including names, contact details, physical addresses, email addresses, usernames, and support ticket information—despite a
For thousands of school workers, the threat didn’t begin with a stolen password or a classroom emergency. It began with an online dump.
Infinite Campus. an education technology provider used by school districts across the United States. says threat actors compromised its Salesforce environment and published alleged stolen records. The leak includes data tied to more than 137. 000 staff members—enough personal detail to make targeted phishing and social engineering feel painfully believable.
“The group subsequently published data they alleged was taken from Infinite Campus, containing 137k unique email addresses along with names, phone numbers, physical addresses and support tickets,” data breach notification service Have I Been Pwned (HIBP) said in its analysis of the leaked data.
Infinite Campus framed the incident around where the attackers broke in. The company says the breach targeted its Salesforce environment, not its student information databases. Still, the records exposed personal and contact information for approximately 137,000 school staff accounts.
The scale of the leak is tied to what the attackers allegedly obtained: ShinyHunters claimed responsibility and allegedly leaked a 1.2 GB archive of Salesforce records and internal data. HIBP’s analysis of the leaked material said it included names. email addresses. phone numbers. usernames. physical addresses. and support ticket information from approximately 137. 100 accounts.
That distinction—no student records compromised. but staff data exposed—matters. because it changes what can be directly used and what it can enable next. Even if student information wasn’t taken. attackers can use staff contact details and account-linked information to craft convincing messages that reach real people at the right moment.
Infinite Campus has already notified those impacted by the incident.
Behind the breach is a wider problem that education technology providers can’t afford to ignore. Infinite Campus is one of the largest student information system (SIS) providers in the United States. serving more than 3. 200 school districts across 46 states and supporting approximately 11 million students. When a company like that relies on cloud software such as Salesforce to run key internal workflows. a compromise can spill outward—turning third-party platform access into a new front line.
The exposed information also tracks with what schools often struggle to protect: the staff directory reality. Infinite Campus stated that the exposed information primarily consisted of school staff names and contact details. much of which is publicly available through school directories and websites. But the breach still impacted more than 137. 000 accounts—because the combination of public-facing details with account-linked data and support ticket information makes follow-on scams harder to dismiss.
In one moment, it’s a breach report. In the next, it’s a daily inbox risk.
The sequence is stark: the incident targeted Infinite Campus’s Salesforce environment. not student information databases; yet the leaked archive allegedly carried staff-level identifiers and ticket-related data. That mix doesn’t always require the attacker to touch student records to cause harm—it only needs enough detail to make deception look official.
Infinite Campus’s incident lands as another reminder for organizations that run on SaaS and third-party vendors. Security teams focused on education technology said the risks of third-party platforms are growing as schools and districts lean more heavily on cloud tools to manage sensitive operational data.
The practical takeaway is clear in the recommended approach for third-party security risks: enforce phishing-resistant MFA and strong conditional access policies for all privileged accounts; review user. service account. and third-party application permissions regularly and apply least-privilege access controls; audit OAuth integrations and remove unnecessary or excessive third-party access to SaaS platforms; monitor SaaS environments for suspicious activity. unusual logins. unauthorized data exports. and signs of account compromise; enable centralized logging. data loss prevention (DLP). and continuous security monitoring to improve threat detection and response; conduct regular third-party risk assessments and evaluate the security practices of vendors that handle sensitive data; and test incident response plans through tabletop exercises to make sure SaaS-related breach scenarios are included.
For Infinite Campus, the company’s message is that student information systems were not compromised. For staff whose contact details and account-associated information were allegedly exposed. the impact may still be felt—especially because the leaked data could support phishing and social engineering campaigns aimed at people inside school communities.
Editor’s note: This article originally appeared on our sister publication, eSecurityPlanet.
Infinite Campus Salesforce breach school staff records ShinyHunters cybersecurity SaaS security data breach phishing social engineering third-party risk HIBP