In March 2026, the ShinyHunters cybercriminal group breached Infinite Campus — one of the largest K-12 student information systems in the United States — through a Salesforce data theft attack. The breach exposed the personal information of approximately 137,000 school staff accounts. If you work in education and your school uses Infinite Campus, here's what you need to know and do.
What Happened
ShinyHunters, the same group behind the 2026 7-Eleven and Charter Communications breaches, targeted Infinite Campus's Salesforce instance as part of a broader "pay or leak" extortion campaign. The attackers gained access to the Salesforce environment used by Infinite Campus for customer support and internal operations.
Infinite Campus is used by over 2,000 school districts serving more than 7 million students across the country, making this breach particularly concerning for the education sector.
What Data Was Exposed
The compromised data includes:
- Email addresses (approximately 137,000 unique addresses)
- Full names and job titles
- Phone numbers and physical addresses
- Usernames and employer information
- Internal support ticket contents
Infinite Campus has noted that much of the exposed data consists of directory information about school staff that is often publicly available on institutional websites. However, the aggregation of this information in a single dataset creates significant risk.
Why This Matters for Educators
Teachers and school administrators are frequent targets of social engineering attacks. Threat actors can use the exposed job titles, school names, and contact information to craft highly convincing phishing emails that appear to come from your district or colleagues.
Step 1: Check If You're Affected
Visit haveibeenpwned.com and enter your work email address to check if it appears in the Infinite Campus breach dataset. You can also contact your school district's IT department to ask whether your information was included in the breach notifications.
Even if you haven't received a notification letter, take precautions if your school district uses Infinite Campus.
Step 2: Reset Your Passwords
Immediately change your password for:
- Your Infinite Campus account
- Your school district email
- Any other account where you used the same password
Use strong, unique passwords for each account. A password manager like Bitwarden or 1Password makes this manageable. Never reuse passwords across your personal and work accounts.
Skip the manual opt-outs
One opt-out won't stop them — brokers relist your data. PrivacyOn removes your info from 100+ sites and keeps it removed.
Start your free scanStep 3: Enable Multi-Factor Authentication
Enable MFA on every account that supports it, starting with your email and any educational platforms you use. If your school district hasn't deployed MFA on Infinite Campus or other administrative systems, urge your IT department to do so immediately.
Authenticator apps (like Google Authenticator or Microsoft Authenticator) are more secure than SMS-based codes, which can be intercepted through SIM swap attacks.
Step 4: Watch for Targeted Phishing
With your name, title, school, and contact information now in criminal hands, expect an increase in targeted phishing attempts. Be especially wary of:
- Emails appearing to come from your principal, superintendent, or district IT
- Messages about urgent password resets or account verification
- Requests to update direct deposit information or personal details
- Links to fake login pages for educational platforms
Red Flag Rule
If an email asks you to click a link and enter your login credentials, stop. Navigate directly to the website by typing the URL in your browser instead. Legitimate organizations will never ask you to verify your password through an email link.
Step 5: Monitor Your Accounts and Credit
Even though Social Security numbers may not have been part of this particular breach, the exposed personal information can be combined with data from other breaches to build a more complete identity profile. Take these precautions:
- Review your credit reports at AnnualCreditReport.com
- Set up fraud alerts or credit freezes if you're concerned
- Monitor your bank and financial accounts for unusual activity
- Check your tax transcripts at IRS.gov to ensure no one has filed a fraudulent return
Step 6: Report Suspicious Activity
If you notice signs of identity theft or receive suspicious communications:
- Report phishing emails to your school district's IT department
- File a report with the FTC at IdentityTheft.gov
- Report the incident to the FBI's Internet Crime Complaint Center (IC3) at ic3.gov
- Contact your local police department if you experience financial losses
Protecting Yourself Long-Term
As an educator, your personal information is often more publicly accessible than average — school websites, staff directories, and public records make you an easier target. A data removal service like PrivacyOn can help reduce your exposure by monitoring over 100 data broker sites and automatically removing your personal information as it appears.
PrivacyOn's dark web monitoring will also alert you if your compromised credentials or personal data surface in new breach datasets, giving you time to change passwords and lock down accounts before they're exploited.
For school districts, this breach is a reminder to audit vendor security practices, implement zero-trust access controls, and ensure that administrative systems like Salesforce are properly segmented from sensitive student and staff data.