Infinite Campus Warns K-12 Customers After ShinyHunters Claims Salesforce Data Theft

Infinite Campus, the K-12 student information system used by thousands of school districts, warned customers that hackers accessed an employee's Salesforce account, exposing information the company described as mostly publicly available. The breach notification, sent on March 24, arrived just as the extortion group ShinyHunters escalated its pressure campaign.

ShinyHunters posted a "final warning" on its dark web site threatening to leak all data allegedly stolen from Infinite Campus, giving the company until March 25 to initiate contact and negotiate a ransom. Infinite Campus responded that it will not engage with the attacker.

ShinyHunters claims to have stolen Salesforce records containing personally identifiable information and various internal corporate data. The company disputed the severity of the exposure: the compromised Salesforce instance reportedly contained names and contact details for school staff, with Infinite Campus explaining that "the majority is directory information commonly found on school websites." Infinite Campus also stated that, according to its investigation, no customer databases were accessed.

Infinite Campus did not name ShinyHunters as the threat actor, instead describing the intruder as "part of a group known for targeting the Salesforce accounts of hundreds of companies." The gap between the company's characterization and what cybersecurity reporters confirmed matters given the stakes: Infinite Campus serves more than 3,200 school districts, and its software manages data for 11 million students across 46 states.

The incident occurred on March 18, 2026, and was detailed in a notification sent by Infinite Campus CEO Charlie Kratsch to customers. The breach was detected the same day after multiple internal security controls flagged suspicious activity tied to the Salesforce account. The account was promptly disabled and the company initiated an internal investigation with the assistance of security partners. As a further precaution, Infinite Campus temporarily disabled certain services for customers lacking IP address restrictions, to reduce potential exposure if sensitive data had been shared through communications.

The Infinite Campus incident is the latest in a sustained campaign against Salesforce users. The extortion group has been targeting Salesforce customers for the past year, breaching hundreds of companies and claiming more than 1.5 billion records stolen in the Salesloft Drift hack and the more recent Salesforce Aura campaign. In that Aura campaign, ShinyHunters took a legitimate security audit tool released by Google-owned Mandiant and turned it into a data extraction weapon, using it to scan and exploit Salesforce Experience Cloud sites with misconfigured guest user permissions, resulting in an estimated 300 to 400 companies breached.

Unlike many ransomware operations that focus on encrypting systems, ShinyHunters' campaign revolves around data exposure and extraction from cloud-based CRM environments, exploiting a combination of publicly accessible Salesforce portals, overly permissive guest user configurations, and automated reconnaissance tools to harvest sensitive information at scale.

In the Salesloft Drift campaign alone, the group claimed to steal data from 760 organizations, with victims including Cisco, Disney, KFC, Ikea, Marriott, McDonald's, Walgreens, Albertsons, and Saks Fifth Avenue. The breadth of that campaign underscores why a ransom refusal from Infinite Campus carries real risk: victims regularly receive "Final Warning" notices on the group's leak sites, threatening the public release of stolen data if payments are not made.

The claims against Infinite Campus remain unverified, with no independent forensic evidence yet confirming the full extent of what was taken. The company has not published an official public statement, though customers reported the incident on various public platforms. With the March 25 deadline now passed and Infinite Campus firm in its refusal to negotiate, whether ShinyHunters follows through on its threat to publish will be the next indicator of how seriously to weigh the group's claims.