Infinite Campus, a widely used student information system provider in the US education sector, has disclosed a security incident involving unauthorized access to an employee’s Salesforce account.
Meanwhile, the ShinyHunters extortion group claims to have stolen sensitive corporate data and is threatening to leak it.
The incident, which occurred on March 18, 2026, was detailed in a notification sent by Infinite Campus CEO Charlie Kratsch to customers. According to a notice sample posted on Reddit, the breach was detected the same day after multiple internal security controls flagged suspicious activity tied to a Salesforce account belonging to an employee. The account was promptly disabled, and the company initiated an internal investigation with the assistance of security partners.
Later that evening, the threat actor contacted Infinite Campus, claiming affiliation with a group known for targeting Salesforce environments across multiple organizations. The attacker demanded payment in exchange for deleting allegedly exfiltrated data. Infinite Campus stated that it has refused to engage with the extortion attempt.
Infinite Campus is a major provider of student information systems (SIS) used by K-12 school districts across the United States, supporting functions such as attendance tracking, grading, scheduling, and communication between schools and families. Its platform is widely adopted, making any potential data exposure a significant concern for educational institutions and their staff.
In its official communication, the company maintains that the attacker did not access customer databases. Instead, the compromised Salesforce instance reportedly contained contact details and directory-style information for school staff, much of which is already publicly available through school websites. Infinite Campus emphasized that there is no evidence suggesting access to sensitive student records or core customer data systems.
However, claims published on the ShinyHunters extortion portal paint a more severe picture. The group alleges that it has obtained Salesforce records containing personally identifiable information (PII) along with internal corporate data. The listing, marked as a “final warning,” sets a deadline of March 25, 2026, for the company to comply with payment demands or face public data leaks.
As a precautionary measure, Infinite Campus temporarily disabled certain services for customers lacking IP address restrictions, aiming to reduce potential exposure if sensitive data had been shared through communications. The company also confirmed that it is conducting a comprehensive review of all Salesforce data that may have been accessed and is working to restore affected services.
Schools using Infinite Campus should enforce multi-factor authentication (MFA) across all accounts, restrict access via IP allowlisting, rotate credentials, and monitor account activity logs for suspicious access patterns.
Leave a Reply