Infinite Campus breach alert follows ShinyHunters data theft claim
▼ Summary
– Infinite Campus, a major K-12 student data system, is alerting customers to a data breach after an extortion attempt by the ShinyHunters hacker group.
– The breach occurred via a compromised employee Salesforce account, exposing mostly public information like school staff names and contact details.
– The company states no customer databases were accessed and it will not negotiate with the hackers, who threatened to leak the data.
– In response, Infinite Campus has disabled some customer services without IP restrictions and is scanning its Salesforce data.
– This incident follows a pattern of ShinyHunters targeting hundreds of companies’ Salesforce accounts over the past year.
A major provider of student information systems to U.S. school districts is alerting clients to a data breach after a known cybercriminal group attempted extortion. Infinite Campus, which serves over 3,200 districts, confirmed that an unauthorized party gained access to an employee’s Salesforce account. The company maintains that no student databases were compromised, and the exposed information largely consisted of publicly available staff contact details.
This notification follows a public claim of responsibility by the ShinyHunters extortion group. The hackers posted a final warning on their dark web site, threatening to release all stolen data unless the company initiated ransom negotiations by March 25. Infinite Campus has stated it will not engage with the threat actor. While the company did not name ShinyHunters directly, it described the intruder as belonging to a group notorious for targeting hundreds of corporate Salesforce accounts.
The group has been actively exploiting Salesforce security for roughly a year. In previous campaigns, including the Salesloft Drift and Salesforce Aura incidents, ShinyHunters has claimed responsibility for stealing billions of records. In this case, the targeted data reportedly includes personally identifiable information and internal corporate records from the Salesforce platform.
According to the company’s investigation, the breach was contained to its Salesforce instance. The information accessed primarily involved names and contact details for school staff, much of which is considered directory information available on school websites. In response, Infinite Campus has temporarily disabled certain customer-facing services for users without IP restrictions to reduce risk. The firm is also conducting a comprehensive scan of all potentially compromised Salesforce data and reaching out to individual districts that may be affected.
This incident echoes a similar attack on another educational technology giant, PowerSchool, in late 2024. That breach, which exploited a comparable platform vulnerability, resulted in the exposure of sensitive data for 62 million students. The perpetrator in that case, a 19-year-old college student, later received a four-year prison sentence. The scope of the Infinite Campus breach appears significantly narrower, focusing on staff information rather than student records. The company has shared its customer notification but has not provided further public comment on the number of districts impacted.
(Source: BleepingComputer)
