The popular K-12 student information system Infinite Campus has disclosed a data breach affecting approximately 137,000 users after the notorious threat actor group ShinyHunters executed a “pay or leak” extortion campaign against the platform in March 2026.
ShinyHunters, a well-known cybercriminal group responsible for numerous high-profile data theft operations, targeted Infinite Campus in what investigators describe as a classic extortion scheme.
The group threatened to publicly release stolen data unless the company met their financial demands. When negotiations presumably failed, ShinyHunters followed through on the threat and published the allegedly stolen dataset online.
ShinyHunters Breaches Infinite Campus
The breach was subsequently detected by threat-monitoring systems, prompting Infinite Campus to issue formal notifications to affected individuals and clarify the scope of the exposed records.
According to the company, the compromised dataset largely consisted of names and contact information for school staff, with the organization noting that “the majority is directory information commonly found on school websites.”
The full scope of exposed data includes:
- Email addresses (137,000 unique entries)
- Names and usernames
- Phone numbers and physical addresses
- Employer details and job titles
- Contents of internal support tickets
According to Have I Been Pwned reports, Infinite Campus downplayed the sensitivity of some exposed fields. The inclusion of support ticket data is particularly concerning support tickets frequently contain detailed technical configurations, reported issues, and internal workflow details that threat actors can leverage for follow-on social engineering or targeted phishing campaigns against school district staff.
With over 12 million students and hundreds of thousands of staff members across U.S. school districts relying on the platform, the breach carries significant downstream risk even if the directly exposed records primarily belong to school personnel.
Exposed staff contact information combined with support ticket data creates a credible attack surface for spear-phishing and business email compromise (BEC) attempts targeting school districts.
The incident follows a broader trend of ransomware and extortion groups increasingly targeting education sector infrastructure, which typically operates with limited cybersecurity resources compared to enterprise environments.
Schools represent a high-value, low-resistance target holding sensitive student and staff data while often lacking dedicated security operations teams.
Affected individuals and organizations should take the following steps immediately:
- Reset passwords for all Infinite Campus accounts and any accounts sharing the same credentials
- Enable multi-factor authentication (MFA) across all administrative portals
- Alert staff to heightened phishing risks, particularly emails impersonating Infinite Campus or district IT personnel
- Review exposed support ticket histories for sensitive configuration details or disclosed system vulnerabilities
- Report suspicious activity to the district’s IT security team without delay
The Infinite Campus breach underscores the urgent need for education institutions to treat student information systems as critical infrastructure, implementing continuous threat detection, staff security awareness training, and vendor security assessments as baseline protections against extortion-driven attacks.
No Comment! Be the first one.