Infinite Campus Confirms Data Breach Following ShinyHunters Extortion Threat

Infinite Campus, a major U.S. K-12 student information system provider, has confirmed a data breach after the ShinyHunters extortion group threatened to leak stolen data. The company disclosed that the incident stemmed from the compromise of an employee's Salesforce account, which attackers used to access information. This admission follows ShinyHunters' public claim of responsibility on March 25, placing the education technology firm under immediate pressure to investigate and respond.

According to breach notices sent to customers and detailed by founder and CEO Charlie Kratsch, the investigation determined that attackers accessed only names and contact details for school staff, along with other data typically considered publicly available. The company emphasized that its core customer databases, which contain sensitive student information, were not compromised. In response to the incident, Infinite Campus took steps to deactivate certain services for customers as a precautionary security measure.

The breach highlights the persistent targeting of educational technology vendors by sophisticated threat actors like ShinyHunters, who specialize in data theft and extortion. While the confirmed data exposure appears limited this time, the event triggers scrutiny over third-party vendor security and data access controls within the K-12 ecosystem. The incident serves as a warning to other edtech providers about the risks posed by credential-based attacks on employee accounts, even when they do not lead to a full-scale system compromise.