A data breach affecting the widely used K–12 student information system, Infinite Campus, has exposed the personal information of approximately 137,000 users.
This incident is linked to an extortion campaign that occurred in March 2026 and has been attributed to the ShinyHunters threat group.
It was officially recorded on Have I Been Pwned (HIBP). This event highlights the ongoing risks faced by educational technology platforms, particularly those that handle staff and administrative data across school districts.
Infinite Campus Breach
According to breach disclosures and third-party reporting, the attackers exfiltrated a dataset containing 137,100 unique email addresses along with associated personally identifiable information (PII). The attackers later published the data after issuing a “pay or leak” demand.
The compromised dataset reportedly includes names, email addresses, phone numbers, physical addresses, employers, job titles, usernames, and internal support ticket records.
While Infinite Campus stated in its notification that the majority of the exposed information relates to school staff directory data, which is often publicly accessible via institutional websites, the inclusion of structured datasets and internal support communications raises concerns about aggregation risks and potential misuse in targeted phishing or social engineering campaigns.
The presence of support tickets is particularly notable, as these records may contain contextual operational details, system configurations, or partial credentials that could aid follow-on attacks.
ShinyHunters, a threat actor known for large-scale data breaches and extortion operations targeting SaaS platforms and enterprise services, has increasingly focused on organizations with centralized user databases.
Their typical tactics involve initial access via compromised credentials, exploitation of misconfigured cloud storage, or abuse of exposed APIs, followed by data exfiltration and extortion threats.
Although Infinite Campus has not publicly disclosed the exact intrusion vector, the scale and structure of the leaked data suggest unauthorized backend access rather than simple scraping of public directories.
From a risk perspective, even “low-sensitivity” data such as staff directories can become high-value when aggregated. Threat actors can weaponize this information for credential stuffing, business email compromise (BEC), or impersonation attacks targeting school districts and vendors.
For example, an attacker could craft convincing phishing emails impersonating district IT support using real names, roles, and internal references extracted from support tickets, significantly increasing success rates.
The breach underscores persistent security challenges in the education sector, where platforms often prioritize accessibility and integration over strict data minimization and segmentation.
Systems like Infinite Campus, which serve as centralized hubs for administrative and communication workflows, represent attractive targets due to their broad user base and interconnected data.
Security experts recommend that affected users, particularly school staff, remain vigilant against phishing attempts and ensure the use of unique passwords across services.
Organizations using Infinite Campus should review access logs, enforce multi-factor authentication (MFA), audit API usage, and reassess data exposure policies, especially regarding publicly accessible directory information.
As of now, Infinite Campus has not indicated evidence of student academic records or financial data being compromised.
However, the incident adds to a growing list of breaches affecting education technology providers, reinforcing the need for stronger security controls, continuous monitoring, and transparent incident response practices across the sector.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
