Infinite Campus, a widely used K-12 student information system, is warning customers of a data breach following an extortion attempt by a threat actor.

In the breach notification sent to customers, Infinite Campus states that hackers accessed an employee's Salesforce account, exposing information that was mostly publicly available.

The company has not published an official statement, but customers reported the incident on various public platforms.

The notification comes shortly after the data extortion group ShinyHunters claimed the attack and posted a “final warning” on its dark web site yesterday, threatening to leak all data allegedly stolen from Infinite Campus.

The hackers gave the company until March 25 to initiate contact and negotiate a ransom to prevent a data leak. However, Infinite Campus said that it will not engage with the attacker.

ShinyHunters claims to have stolen Salesforce records containing personally identifiable information (PII) and various internal corporate data.

Infinite Campus is a U.S.-based education technology (EdTech) company that provides a student information system (SIS) to more than 3,200 school districts in the United States. Currently, its software applications manage data of 11 million students in 46 states.

Although Infinite Campus did not name ShinyHunters as the threat actor, it described the intruder as “part of a group known for targeting the Salesforce accounts of hundreds of companies.”

The extortion group has been targeting Salesforce customers for the past year, breaching hundreds of companies and claiming more than 1.5 billion records stolen in the Salesloft Drift hack and the more recent Salesforce Aura campaign. 

Infinite Campus has also stated that, according to its investigation, no customer databases were accessed. Exposed data consists of names and contact details for school stuff and information that is commonly available publicly.

“Their target was the Infinite Campus Salesforce instance, consisting of names and contact information for school staff; the majority is directory information commonly found on school websites,” explained the firm.

In response to the incident, the firm has disabled certain customer-facing services for users without IP address restrictions to minimize the risk of potential exposure of sensitive data.

At the same time, it is scanning all Salesforce data that may have been compromised and is contacting potentially impacted districts to provide guidance.

BleepingComputer has contacted Infinite Campus with questions on how many school districts have been impacted, but a company representative shared with us the notification sent to customers with no additional comment.

The incident resembles the December 2024 PowerSchool hack due to the type of targeted platform, though the impact scope was vastly different, exposing the sensitive information of 62 million students.

The hacker behind that attack, a 19-year-old college student from Massachusetts, was eventually sentenced to four years in prison, following his guilty plea in May 2025.

Update [March 24, 11:37 EST]: Article edited to reflect that Infinite Campus shared with BleepingComputer the notification sent to customers.