Full Report
In March 2026, the student information system Infinite Campus was targeted in a ShinyHunters "pay or leak" extortion campaign. The group subsequently published data they alleged was taken from Infinite Campus, containing 137k unique email addresses along with names, phone numbers, physical addresses and support tickets. Infinite Campus subsequently sent notifications, advising that the exposed data largely consisted of "names and contact information for school staff" and that "the majority is directory information commonly found on school websites".
Analysis Summary
# Incident Report: Infinite Campus Data Breach & Extortion Campaign
## Executive Summary
In March 2026, Infinite Campus, a prominent student information system, was targeted by the threat actor group "ShinyHunters" in a "pay or leak" extortion campaign. The breach resulted in the exfiltration and subsequent publication of a database containing approximately 137,000 unique records, primarily consisting of school staff contact information and support tickets. The organization responded by notifying affected parties and downplaying the sensitivity of the data, characterizing it largely as publicly available directory information.
## Incident Details
- **Discovery Date:** March 2026 (via threat actor extortion claim)
- **Incident Date:** March 2026
- **Affected Organization:** Infinite Campus
- **Sector:** Education Technology (EdTech)
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** March 2026
- **Vector:** Not explicitly disclosed (ShinyHunters typically utilize credential stuffing or cloud misconfigurations).
- **Details:** The threat actor group ShinyHunters gained unauthorized access to internal data storage or a support database.
### Lateral Movement
- **Details:** Information not provided in the source article regarding internal movement within the Infinite Campus network.
### Data Exfiltration/Impact
- **Details:** Attackers extracted a dataset containing 137,175 unique records. Following a failed extortion attempt ("pay or leak"), the group published the data online to pressure the organization.
### Detection & Response
- **Detection:** The incident was identified when ShinyHunters publicly claimed credit for the theft and initiated extortion demands.
- **Response Actions:** Infinite Campus conducted an internal investigation, issued formal notifications to school administrators, and performed a data sensitivity analysis.
## Attack Methodology
- **Initial Access:** Likely exploitation of third-party platforms or unsecured cloud repositories (consistent with ShinyHunters' historical TTPs).
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Potential harvesting of usernames and passwords from support tickets.
- **Discovery:** Targeted search for school staff contact databases and support ticket systems.
- **Lateral Movement:** Not disclosed.
- **Collection:** Automated extraction of 137k records including names, emails, and phone numbers.
- **Exfiltration:** Data transferred to threat actor-controlled infrastructure for extortion purposes.
- **Impact:** Data breach and extortion; publication of sensitive support tickets.
## Impact Assessment
- **Financial:** Potential regulatory fines (FERPA/state laws) and costs associated with incident response and victim notification.
- **Data Breach:** High volume (137.1k accounts); includes names, physical addresses, job titles, and internal support tickets.
- **Operational:** Disruption to support services and administrative overhead for school districts.
- **Reputational:** Minor to moderate; while Infinite Campus maintains the data was "directory information," the inclusion of support tickets suggests deeper access than public records.
## Indicators of Compromise
- **Network indicators:** None provided in public disclosure.
- **File indicators:** None provided in public disclosure.
- **Behavioral indicators:** Unauthorized large-scale API calls or database exports; extortion communication from ShinyHunters.
## Response Actions
- **Containment:** Infinite Campus addressed the vulnerability used for exfiltration (implied).
- **Eradication:** Notified Have I Been Pwned (HIBP) for public awareness.
- **Recovery:** Issued public statements and direct notifications to the k12sysadmin community and clients.
## Lessons Learned
- **Key Takeaways:** Support ticket systems often contain more sensitive PII than anticipated and require the same level of security as core production databases.
- **Weaknesses:** Extortion groups like ShinyHunters often exploit "shadow IT" or secondary systems that may not have the same rigorous audit logs as primary student records.
## Recommendations
- **Prevention:** Implement strict Multi-Factor Authentication (MFA) across all administrative and support platforms.
- **Data Minimization:** Regularly purge old support tickets and redact PII from communications within support databases.
- **Monitoring:** Deploy Data Loss Prevention (DLP) tools to alert on the egress of large volumes of records to unknown external IPs.
- **Defanging URLs:** Ensure all internal links in support tickets are secured or expired to prevent secondary exploitation of the leaked data.