- Infinite Campus hit by ShinyHunters via Salesforce account breach
- Names and staff contact info stolen; customer data unaffected
- Group added company to leak site, demanding ransom by March 25 amid wider Salesforce-targeting campaign
Popular student information system (SIS) Infinite Campus has confirmed suffering a data breach at the hands of the infamous ShinyHunters group, who are now trying to extort the company for money.
In a data breach notification letter, shared to affected individuals and subsequently posted on Reddit, Infinite Campus said an unauthorized actor accessed an employee’s Salesforce account on March 18, 2026, but was quickly ousted after IT and security teams were alerted.
However, before they were forced out, the attacker managed to grab names and contact information of school staff. Infinite Campus says most of the data they nabbed is “commonly found on school websites”, and customer information was not targeted or stolen.
ShinyHunters take the blame
While the organization did not name the perpetrators, it did say that they are a “group knThat did not stop the attackers from reaching out and trying to extort the organization for money. “Infinite Campus has not, and will not, engage with the unauthorized actor,” it said, before adding that it disabled some customer-facing services for users without IP addresses.
own for targeting the Salesforce accounts of hundreds of companies,” which hints at ShinyHunters.
At the same time, the group added Infinite Campus to its data leak site, giving a deadline of March 25, 2026 for the payment, or it would release all of the stolen files on the dark web.
They are claiming to have taken Salesforce records with personally identifiable information (PII) and various internal corporate data.
ShinyHunters have been running campaigns against Salesforce customers for several months now, with victims including Cisco, Adidas, Qantas, and Allianz Life.
In the attackers, they would use voice phishing (vishing) to trick employees into granting access, or stealing OAuth tokens, and would then use the access to exfiltrate CRM data. The data is then offered back, in exchange for bitcoin or monero.
Via BleepingComputer
