Infinite Campus: 137,123 Staff Emails Exposed in Salesforce Breach

On the afternoon of March 18, 2026, an unauthorized actor gained access to an Infinite Campus employee's Salesforce account. The system, used for internal ticketing and case management, provided access to names and contact details for school staff. Three months later, on June 15, 2026, the data appeared on Have I Been Pwned: 137,123 unique email addresses, published by ShinyHunters after the company refused to pay a ransom. The incident reopens the issue of SaaS supply-chain risk in the education-technology sector.

How the Attacker Got In

Infinite Campus describes the event precisely in the notification sent to customer districts. "On the afternoon of Wednesday, March 18, 2026, an unauthorized actor gained access to an Infinite Campus employee's Salesforce account. Salesforce is the company's internal case management and ticketing system — it is not the student information system itself." The quote, reported by the Orange County school district, eliminates any ambiguity about the vector: not an attack on the core SIS, but on a SaaS support platform.

The architectural distinction contained the impact. The student system, which houses grades, attendance, health and demographic data, remained outside the intrusion's reach. This is the fact that Infinite Campus and its customers have put front and center. However, the support CRM still held operational data: names, roles, affiliated institutions, and contact channels for staff who interact with the vendor.

The sources do not reveal the specific mechanism that opened the Salesforce account. Phishing, credential stuffing, session hijacking, or compromise of prior credentials remain undocumented hypotheses. The dossier does not identify the employee involved or the exact authentication path that was breached.

What Was Stolen and What Wasn't

Charlie Kratsch, founder and CEO of Infinite Campus, defined the perimeter of the exposed data. His statements, reported by SC World based on BleepingComputer, indicate "only names and contact details for school staff, as well as other typically publicly available data." TechNadu adds that "the majority of the information is directory information commonly found on school websites."

"only names and contact details for school staff, as well as other typically publicly available data, had been accessed by attackers, while no customer databases were compromised" — Charlie Kratsch, CEO Infinite Campus

The quantitative figure is precise: 137,123 unique email addresses, according to Have I Been Pwned as reported by TechNadu. This number refers exclusively to distinct email addresses in the dataset, not to the total record count or the number of districts involved. The sources do not quantify how many institutions are actually represented among the 137,123 addresses. This is an area of uncertainty the dossier does not resolve.

What the sources exclude is equally defined. Infinite Campus explicitly denied that student information was breached. Cloaked, in its analysis, notes "no evidence" of sensitive data such as SSNs or financial information. This alignment among the official source, a security source, and a commercial source reduces the risk of understatement, but does not negate the criticality of the exposure for the affected school staff.

The Extortion and Publication

ShinyHunters managed the aftermath according to its established operational model. TechNadu documents a "pay or leak" campaign: an extortion attempt followed, in the event of non-payment, by full publication of the dataset. Infinite Campus chose the latter path. Cloaked reports that the company "have outright refused to negotiate or pay any part of the ransom." SC World confirms the "refusal to engage with hackers."

Publication occurred on June 15, 2026, the date of inclusion in Have I Been Pwned. The timeline — nearly three months after the intrusion — reflects an extortion cycle longer than the instantaneous ones typical of traditional ransomware, where publication follows non-payment within tight deadlines. This pattern suggests ShinyHunters evaluated the dataset as a negotiating asset rather than merchandise to dump immediately, likely due to the volume and education-sector verticalization.

SecurityWeek, providing context, places ShinyHunters in a phase of intense activity targeting Salesforce-related platforms. Although the source does not directly address the Infinite Campus case, the overall picture indicates the group is systematically probing SaaS accounts with access to organized user bases, preferring third-tier vectors over core systems that are more aggressively protected.

Infinite Campus Response and Known Limits

After detection, Infinite Campus disabled the compromised account and initiated a remediation process. SC World documents two specific actions: a full scan of Salesforce data conducted with external partners, and deactivation of certain services for customers lacking IP restrictions. CEO Kratsch confirmed that no customer databases were compromised.

The dossier does not allow assessment of the concrete effectiveness of deactivation for customers without IP restrictions. It is unclear which services were deactivated, for how many customers, or for how long. This element, present in the sources as an action taken, lacks sufficient operational detail to establish its impact on the residual attack surface.

It also remains unknown whether Infinite Campus notified regulatory authorities or attorneys general, beyond the customer school districts. The documented information flow concerns the vendor-district-staff chain, not any potential involvement of enforcement or regulators under specific state frameworks. The dossier does not exclude it, but does not confirm it.

What to Do Now

For CISOs of school districts using Infinite Campus or similar SIS vendors, the dossier suggests verification priorities concentrated on three axes. First, verify that staff contacts registered with the vendor are actually operational and not shared aliases. Second, check whether the district has enabled IP restrictions on the vendor's support services, given that deactivation specifically hit customers without this protection. Third, monitor staff user credentials in HIBP to identify cross-exposures combining emails, names, and institutions.

Finally, the case revives the debate over classification of exposed data. When names, roles, and emails of education staff are already public on district websites, breach notification takes on different contours. But vendor-scale aggregation — which links an individual to a specific platform, a district, and a role in the education system — transforms directory information into an intelligence asset for targeted spear-phishing. FERPA compliance, which treats these data as public, does not measure the risk of weaponization. The gap between legal and risk remains open.

The paradox is that a technically "minor" attack — no SIS compromised, no student data exposed, no financial information stolen — nonetheless generates a vast social-attack surface. 137,123 people with education roles, now associated with a specific vendor, are potential targets for phishing campaigns that exploit the inherent trust context of the school sector. Architectural separation safeguarded the databases, not operational trust.

Information has been verified against cited sources and is current as of publication.

Sources

• https://www.securityweek.com/shinyhunters-claims-council-of-europe-hack/
• https://www.orangecountyfirst.com/p/~board/latest-news-orange-county-school-district-2699/post/cybersecurity-update-march-23-2026-infinite-campus-reports-data-breach
• https://www.cloaked.com/post/are-your-districts-staff-details-at-risk-after-the-infinite-campus-school-data-breach
• https://www.scworld.com/brief/infinite-campus-reports-hack-after-shinyhunters-extortion-attempt
• https://www.technadu.com/shinyhunters-publishes-infinite-campus-data-in-extortion-campaign-linked-to-salesforce-137000-emails-exposed/629334/
• https://ads.securityweek.com/getad.img/;libID=5517614