137,100 school staff accounts. One 1.2GB archive. And a familiar extortion group taking credit for breaking into yet another Salesforce instance.
Infinite Campus, the student information system used by 3,200 US school districts for 11 million K-12 students, confirmed in March that an attacker stole names, email addresses, phone numbers, physical addresses, job titles, and support tickets from its Salesforce deployment. The company downplayed the exposure as "directory information commonly found on school websites." But the leaked data includes internal support tickets, which go well beyond any public directory.
137,100 Staff Records in a 1.2GB Dump
Have I Been Pwned analyzed the dump and confirmed 137,100 unique email addresses plus associated PII. ShinyHunters leaked the archive on its data leak site after claiming responsibility. The group has made a sport of pillaging Salesforce tenants over the past year, claiming more than 1.5 billion records from hundreds of companies in the Salesloft Drift hack and the Salesforce Aura campaign.
Infinite Campus told customers the attacker was "part of a group known for targeting the Salesforce accounts of hundreds of companies." It did not name ShinyHunters, but the group's claim lines up perfectly. The same playbook: find a poorly secured Salesforce instance, pull contact records, ransom or leak.
Why ShinyHunters Keeps Hitting Salesforce Instances
Salesforce is a CRM platform that companies fill with customer and staff data. Organizations often misconfigure permissions, leave sandboxes exposed, or fail to apply MFA on internal user accounts. Once inside, attackers can extract entire contact databases with minimal effort. ShinyHunters knows this and has automated the reconnaissance.
This incident mirrors the December 2024 PowerSchool breach where a 19-year-old stole data on 62 million students. The scale difference is stark: 137K vs 62M. But the root cause is identical. EdTech vendors collect mountains of personal data and treat it like public directory info. Infinite Campus's own breach notification says "the majority is directory information commonly found on school websites." That's a convenient excuse that ignores the support tickets, internal notes, and metadata sitting in the same Salesforce org.
The Bigger EdTech Security Pattern
ShinyHunters isn't stopping at Salesforce. The group recently claimed responsibility for a data theft campaign exploiting a zero-day in Oracle's PeopleSoft enterprise software, hitting over 100 organizations including the University of Nottingham. The same crew, the same MO: find an exposed enterprise SaaS instance, exfiltrate, extort, leak.
School districts signed up for Infinite Campus to manage student grades, attendance, and schedules. They did not sign up for their staff's personal data to be dumped on a leak site because someone left Salesforce unlocked. Until EdTech vendors start treating their own Salesforce tenancy with the same rigor they apply to student data encryption, these breaches will keep coming.
Source: Infinite Campus data breach affects 137,000 school staff accounts
Domain: bleepingcomputer.com
Comments load interactively on the live page.