Infinite Campus, a student information system serving 3,200 school districts and 11 million students across 46 US states, suffered a Salesforce-targeted breach in March 2026 that exposed personal data for 137,100 school staff members. The ShinyHunters extortion gang, responsible for stealing over 1.5 billion records across hundreds of companies in recent months, accessed the EdTech vendor's Salesforce instance and leaked a 1.2GB archive containing names, email addresses, phone numbers, physical addresses, job titles, usernames, and support tickets. Infinite Campus initially downplayed the incident by characterising the exposed information as "directory information commonly found on school websites," though the presence of support tickets and internal corporate data in the leaked archive suggests the breach penetrated deeper than the vendor's public statements indicated.
The incident exposes a critical vulnerability in how education technology vendors manage customer data within their own operational systems—a distinction that should concern CX teams relying on similar SaaS infrastructure. Unlike the PowerSchool breach affecting 62 million students, this attack targeted Infinite Campus's internal Salesforce environment rather than student databases, yet it still compromised staff credentials and support documentation that could facilitate secondary attacks on school districts themselves. For organisations running Salesforce as a central hub for customer and employee data, this raises an uncomfortable question: how thoroughly are you auditing access controls and data segmentation within your own Salesforce instances, particularly when third-party vendors and support teams require legitimate access? The ShinyHunters group's demonstrated ability to systematically exploit Salesforce environments across hundreds of organisations—from Salesloft and Drift to Aura campaigns—suggests this is not an isolated vendor problem but a systemic weakness in how cloud CRM platforms are hardened against insider and credential-based threats.
The breach also underscores the cascading risk model that CX teams often overlook: when a vendor's support systems are compromised, the exposed tickets and internal notes become reconnaissance material for attackers targeting the vendor's customers. School districts now face potential phishing and social engineering campaigns informed by legitimate support documentation. For CX leaders managing sensitive customer data through Salesforce or similar platforms, this incident should trigger an immediate audit of data classification within your CRM, access logging for support teams, and whether your incident response playbooks account for the scenario where your own operational data becomes a vector for attacking your customers.
The ShinyHunters extortion gang stole personal information from more than 137,000 school staff accounts in a Salesforce data theft attack that targeted the widely used Infinite Campus K-12 student information system in March. [...]