Infinite Campus leak exposes 137,000 staff accounts

Infinite Campus says a breach hit its Salesforce environment—not its student information systems—but stolen records tied to about 137,000 school staff accounts were published online after ShinyHunters claimed responsibility, raising fresh fears of phishing and

The first warning didn’t arrive as a headline. It arrived as data.

A breach affecting education technology provider Infinite Campus has exposed the personal information of more than 137. 000 school staff members. with threat actors allegedly compromising the company’s Salesforce environment and leaking stolen records online. A data breach notification service. Have I Been Pwned (HIBP). said the group published data it alleged was taken from Infinite Campus. The archive contained 137k unique email addresses along with names, phone numbers, physical addresses and support tickets.

The details are specific enough to make the harm easy to imagine: staff members who manage students all day can become targets of messages crafted to look real. Even though the exposed information is not student records. it is the kind of personal and professional contact data attackers can use to persuade people—quietly. quickly. and convincingly.

Infinite Campus says the incident targeted its Salesforce environment, not its student information databases. That distinction matters, because student records were not compromised. But the scale is still big: the breach exposed personal and contact information tied to approximately 137,000 school staff accounts.

ShinyHunters claimed responsibility and allegedly leaked a 1.2 GB archive of Salesforce records and internal data. HIBP’s analysis of the leaked material found names, email addresses, phone numbers, usernames, physical addresses, and support ticket information from approximately 137,100 accounts.

On paper, some of this information may already be findable. Infinite Campus stated that the exposed information primarily consisted of school staff names and contact details. much of which is publicly available through school directories and websites. But public availability is not the same as bulk exposure—what’s online once. in one place. in a downloadable archive. changes how easily attackers can move from guesswork to precision.

The practical risk is immediate. Although student records were not compromised, the exposed data could support phishing and social engineering campaigns.

Infinite Campus has already notified those impacted by the incident.

In a single sweep. the story also shows how education systems can be exposed without their most sensitive databases being touched. Infinite Campus is one of the largest student information system (SIS) providers in the United States. serving more than 3. 200 school districts across 46 states and supporting approximately 11 million students. The education technology ecosystem relies on cloud tools and third-party platforms to manage operational data—so when a vendor’s SaaS environment is compromised. customers can feel the blast even if the core systems remain secure.

This is where the tension tightens: it’s not only what data was taken. but how easily stolen access can be turned into follow-on attacks. Attackers don’t always need student files to cause damage. They need trust—and they need the details that make scams sound like they come from someone you actually work with.

Infinite Campus is pointing to controls that security teams can use to shrink that risk. Suggested steps include enforcing phishing-resistant MFA and strong conditional access policies for all privileged accounts. It also calls for regularly reviewing user, service account, and third-party application permissions and applying least-privilege access controls.

The recommendations go further inside the cloud itself: audit OAuth integrations and remove unnecessary or excessive third-party access to SaaS platforms. monitor SaaS environments for suspicious activity such as unusual logins and unauthorized data exports. and look for signs of account compromise. Centralized logging. data loss prevention (DLP). and continuous security monitoring are also cited as ways to improve threat detection and response.

Infinite Campus also emphasizes the need to test preparedness—not just plan on paper. It includes conducting regular third-party risk assessments and evaluating vendors that handle sensitive data. then testing incident response plans through tabletop exercises to ensure SaaS-related breach scenarios are included in response procedures.

For school leaders and IT teams, that checklist lands on a simple reality: in modern education technology, the attack surface is no longer confined to one institution’s systems. It extends to the cloud tools and vendors that run alongside daily operations.

Even when the student information databases stay untouched. compromised cloud environments can expose valuable information that fuels phishing and social engineering. In this case. the exposed data spans more than 137. 000 school staff accounts—enough to turn routine professional connections into a marketplace for targeted scams.

Infinite Campus data breach Salesforce breach ShinyHunters 137 000 staff accounts school staff data phishing social engineering Have I Been Pwned HIBP SaaS security third-party risk