"The group subsequently published data they alleged was taken from Infinite Campus, containing 137k unique email addresses along with names, phone numbers, physical addresses and support tickets," Have I Been Pwned said.
ShinyHunters claims and the leaked archive
The extortion group ShinyHunters claimed responsibility for a March attack on Infinite Campus' Salesforce instance and published a 1.2GB archive of documents that it said contained Salesforce records and internal corporate data. The group has spent the last year publicly claiming large thefts from Salesforce customers, saying it has taken more than 1.5 billion records after breaching hundreds of companies in campaigns variously described as the Salesloft Drift hack and the Salesforce Aura campaign.
More recently, ShinyHunters has also claimed responsibility for a separate data theft campaign that exploits a zero‑day vulnerability in Oracle's PeopleSoft software, alleging data theft from over 100 organizations including the University of Nottingham. In the Infinite Campus case, the extortion group both claimed the breach and made data public on its data leak site.
Infinite Campus: customer base, notification, and how it described the attack
Infinite Campus — an education technology company that provides a student information system to more than 3,200 U.S. school districts and manages data for 11 million students in 46 states — notified customers in March after discovering a theft from its Salesforce instance. The company described the attacker as "part of a group known for targeting the Salesforce accounts of hundreds of companies" and told affected customers the exposed data contained names and contact details for school staff and "other publicly available information."
Infinite Campus also communicated that it had "no evidence that customer databases were compromised." The company characterized the material taken as "names and contact information for school staff; the majority is directory information commonly found on school websites."
Have I Been Pwned analysis: size and types of data exposed
Data breach notification service Have I Been Pwned analyzed the leaked archive and reported that the breach exposed data from 137,100 accounts. According to Have I Been Pwned, the leaked records include unique names, email addresses, employers, job titles, phone numbers, physical addresses, usernames, and support tickets.
Have I Been Pwned reiterated Infinite Campus' note that the exposed material "largely consisted of 'names and contact information for school staff' and that 'the majority is directory information commonly found on school websites,'" while quantifying the number of unique accounts in the leaked dataset.
Contrast with the December 2024 PowerSchool incident
The Infinite Campus Salesforce theft has been compared to a December 2024 incident involving PowerSchool, but the scale differs markedly. The PowerSchool breach affected 62 million students, while the Infinite Campus incident — as reported by Have I Been Pwned and the ShinyHunters archive — concerns roughly 137,100 school staff accounts. The PowerSchool-related attacker, described in reporting about that earlier incident, pleaded guilty in May 2025.
What this means for school districts, security teams, and school staff
- School districts and district leaders: Infinite Campus serves over 3,200 districts and informed customers that the exposed data consisted largely of staff names and contact information, much of which the company said is directory information commonly found on school websites.
- Technologists and security teams: the attacker targeted a Salesforce instance and was described by Infinite Campus as "part of a group known for targeting the Salesforce accounts of hundreds of companies." ShinyHunters' public release of a 1.2GB archive and Have I Been Pwned's analysis identifying 137,100 affected accounts are documented elements security teams will need to reconcile with their own incident response and log data.
- School staff and affected individuals: Have I Been Pwned reported that the leaked dataset contains names, email addresses, phone numbers, physical addresses, usernames, employers, job titles, and support tickets — the specific categories the service enumerated for the 137,100 accounts it analyzed.
Infinite Campus has maintained that it found no evidence customer databases were compromised even as a public leak and third‑party analysis document a large set of staff records. Whether further forensic work will change that assessment — and whether the leak's operational impact will extend beyond exposed directory and contact fields — remains the central question left by the published material.
