A new wave of school cybersecurity trouble landed in March. Attackers broke into the Salesforce systems behind Infinite Campus, a student information platform used by school districts nationwide. The Infinite Campus data breach didn’t touch student records directly. Instead, it exposed personal details for more than 137,000 school staff members across the country.
The incident adds another entry to a growing list of education sector breaches this year. It also raises fresh questions about how much trust schools can place in outside software vendors.
What Happened in the Infinite Campus Data Breach
Infinite Campus manages student records, attendance, and grading systems for school districts covering 11 million students across 46 states. Hackers didn’t break into that core database. Instead, they compromised the company’s Salesforce instance, the customer relationship platform schools and partners use for support tickets and account details.
Infinite Campus told affected customers that the stolen records contained staff names and contact information. The company said most of this data already exists publicly. It mirrors directory listings commonly posted on school websites. Infinite Campus added that the breach did not affect its core customer databases, including student records.
Infinite Campus first disclosed the incident to customers in March without naming the attackers behind it. Have I Been Pwned later reviewed the leaked data and confirmed the scope of the breach. It put the number of affected accounts at 137,100.
Who Is Behind the Attack
The ShinyHunters extortion group has claimed responsibility for the Infinite Campus data breach. The gang published a 1.2GB archive of internal documents and customer records on its data leak site. It listed Infinite Campus alongside other Salesforce-linked victims it claims to have hit over the past year.
ShinyHunters specializes in large-scale data theft rather than traditional ransomware. It steals information first, then pressures victims to pay before the data leaks publicly. The group claims more than 1.5 billion stolen records from hundreds of organizations, mostly through two prior campaigns called Salesloft Drift and Salesforce Aura. Both relied on abusing third-party integrations rather than exploiting flaws in Salesforce’s own platform.
How the Infinite Campus Data Breach Compares to PowerSchool
This isn’t the first time a major K-12 software vendor has made headlines for a data breach. PowerSchool suffered a similar attack in December 2024, but on a much larger scale, exposing records for 62 million students. A 19-year-old college student from Massachusetts later pleaded guilty to that hack and received a four-year prison sentence.
The Infinite Campus data breach is smaller in scope and limited to staff information rather than student records. But the pattern looks familiar. Attackers target the software vendors schools depend on, because breaching one vendor can expose data tied to thousands of institutions at once.
Why School Staff Should Still Take This Seriously
Names, job titles, phone numbers, and email addresses might sound like low-risk information compared to financial records or medical history. But this is exactly what phishing campaigns are built on. Attackers can use accurate names, titles, and employer details to craft convincing emails that impersonate school administrators, IT staff, or even superintendents.
Support ticket data leaked in the Infinite Campus data breach adds another layer of risk. If those tickets reference internal systems, login issues, or account problems, scammers can use that context to make follow-up phishing attempts sound legitimate. Staff at affected districts should treat unexpected emails about password resets or IT support with extra caution.
How to Protect Yourself After a Breach Like This
Anyone connected to a school district touched by the Infinite Campus data breach should take a few practical steps. Start by checking whether your email address appears in the leaked dataset through a breach notification service. Change passwords for any accounts that reuse credentials tied to your work email. Turn on two-factor authentication wherever it’s available.
A VPN won’t undo a breach that already happened. But it does limit how much additional data attackers can collect about your location and browsing habits during the fallout. Pairing a reputable VPN with a password manager and regular credential checks helps. Together, they make stolen contact details much harder to turn into a bigger account takeover. Keep an eye on accounts for unusual login alerts or unexpected password reset emails in the weeks ahead.
Final Thoughts
School districts are only as secure as the vendors they rely on. The Infinite Campus data breach is the latest case where a vendor, not a school itself, became the point of failure. Even ordinary-looking data, like names and phone numbers, still gives attackers useful material. They can use it to run convincing phishing campaigns against staff and the districts they serve.
School IT teams and individual employees both have a role to play here. Districts need to push vendors on how they secure third-party platforms like Salesforce. Staff need to stay alert to phishing attempts that reference this breach. Education technology isn’t going away, so neither is the responsibility to protect the data flowing through it.