A total of 137,123 Infinite Campus user accounts have been exposed in an extortion campaign carried out by the ransomware group ShinyHunters. The attackers gained access to a company Salesforce account and failed to secure a ransom payment.
-
A cybercriminal group claims responsibility for a breach affecting more than 137,000 Infinite Campus user accounts.
-
Attackers allegedly gained access through a compromised Salesforce account linked to the education technology provider.
-
Exposed information reportedly includes contact details, usernames, job titles and support-related records.
-
Infinite Campus refused to pay the extortion demand, after which the stolen data was reportedly published.
In March, Infinite Campus, a widely used Student Information System (SIS) provider, was targeted by ShinyHunters.
According to an email sent to affected students and workers, the gang gained access to an employee’s Salesforce account on March 18th. To minimize the impact, the compromised account was immediately shut down.
“That evening, the unauthorized actor, claiming to be part of a group known for targeting the Salesforce accounts of hundreds of companies, contacted Infinite Campus, demanding payment in exchange for the destruction of the Salesforce data they claimed to possess. Infinite Campus has not, and will not, engage with the unauthorized actor,” the email stated.
Charlie Kratsch, Founder and CEO of Infinite Campus, told the media that the Infinite Campus Salesforce instance was accessed, which contained the names and contact information of school staff members.
ShinyHunters, on the other hand, claimed to have stolen Salesforce records containing personally identifiable information (PII) and other internal corporate data. Members of the gang gave Infinite Campus until March 25th to come up with the ransom demand.
“This is a final warning to reach out by March 25th, 2026, before we leak, along with several annoying (digital) problems that’ll come your way. Make the right decision, don’t be the next headline,” ShinyHunters warned.
According to Troy Hunt, a cybersecurity researcher from Australia and creator of the Have I Been Pwned database, the ransomware extortion group has published the data that it exfiltrated.
He says that the leak contained 137,123 unique email addresses, along with names, phone numbers, physical addresses, job titles, usernames, and support tickets. In addition, three-quarters of the compromised email addresses (76%) were already in the Have I Been Pwned database.
Infinite Campus is an educational technology company known for creating a popular Student Information System (SIS) that serves over 3,200 school districts in the United States. It manages the data of more than 11 million students in 46 states.
FAQ
Does Infinite Campus have an app?
Yes, Infinite Campus has a mobile app called Campus Student (for students) and Campus Parent (for parents).It lets users check grades, assignments, schedules, and attendance. The app is available on both iOS and Android.
Does infinite campus show your GPA?
Yes, Infinite Campus can show your GPA, but it depends on how your school district sets it up.Many schools display weighted or unweighted GPA directly in the student or parent portal, while others only show grades and calculate GPA separately.
Does Infinite Campus round up grades?
No, Infinite Campus itself doesn’t automatically round grades. It displays whatever grading rules your school or district sets in the system.Some schools may choose to round grades when calculating final marks or GPA, but that’s a policy decision, not something the platform does by default.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked