What Happened
On March 18, 2026, an unauthorized actor gained access to an Infinite Campus employee’s Salesforce account, a case management system used for internal operations rather than the student information system itself. The breach was discovered and the account was immediately disabled by Infinite Campus’s IT and security teams. The ShinyHunters threat actor group claimed responsibility for the attack on March 22, 2026, and publicly announced it on March 24, 2026, demanding ransom by March 25 or threatening to leak stolen data. The compromised data consisted primarily of names and contact information for school staff, most of which is commonly available on school websites. Importantly, Infinite Campus confirmed that no student databases or customer information were accessed, and the exposed data did not include sensitive student records. The company disabled certain customer-facing services as a precaution and began scanning all potentially compromised Salesforce data to contact affected districts.
