Infinite Campus Hit by ShinyHunters Data Breach via Salesforce
Popular student information system (SIS) Infinite Campus has confirmed a data breach, reportedly carried out by the notorious hacker group ShinyHunters, who are now attempting to extort the company.
According to a data breach notification shared with affected individuals and later posted on Reddit, an unauthorized actor accessed an employee’s Salesforce account on March 18, 2026. Infinite Campus says its IT and security teams quickly removed the intruder, but not before the attacker obtained names and contact information of school staff. The company emphasized that most of the stolen information is “commonly found on school websites,” and that customer data was not targeted or compromised.
What Happened
- Breached system: Salesforce account
- Data exposed: Names and contact details of school staff
- Customer impact: None; no sensitive customer information was taken
- Ransom demand: Added to ShinyHunters’ leak site with a March 25, 2026 deadline
The attackers have claimed to have taken Salesforce records containing personally identifiable information (PII) and other internal corporate data. They added Infinite Campus to their data leak site, demanding payment in Bitcoin or Monero or threatening to release the files online.
ShinyHunters’ Pattern
While Infinite Campus did not publicly name the group, it described the attackers as a “group known for targeting Salesforce accounts of hundreds of companies,” strongly indicating ShinyHunters. The group has previously targeted major organizations, including Cisco, Adidas, Qantas, and Allianz Life, using tactics such as:
- Voice phishing (vishing): Trick employees into granting access
- OAuth token theft: Exploit legitimate authentication to access CRM data
Once access is gained, the attackers exfiltrate sensitive CRM data and demand ransom, often through cryptocurrency. Infinite Campus stated that it will not engage with the attackers, and has temporarily disabled some customer-facing services for users without verified IP addresses.
This incident highlights the growing threat to cloud-based services like Salesforce, especially in sectors handling sensitive educational and organizational data.