Full Report
There was some understandable panic and concern in the k-12 sector when the ShinyHunters threat actors announced they had compromised and would leak data from edtech vendor Infinite Campus. Was this going to be another massive breach like the PowerSchool breach that affected tens of millions of students? At the present time, the Infinite Campus... Source
Analysis Summary
# Incident Report: Infinite Campus Salesforce Environment Compromise
## Executive Summary
On March 18, 2026, the threat actor group known as "ShinyHunters" gained unauthorized access to an internal Salesforce account belonging to an employee of Infinite Campus, a major K-12 edtech vendor. The breach was limited to the company’s internal case management and ticketing system, rather than the core Student Information System (SIS). While initial reports sparked concerns of a massive student data leak, investigation suggests the exposure was primarily restricted to school staff contact information and help desk tickets.
## Incident Details
- **Discovery Date:** March 18, 2026
- **Incident Date:** March 18, 2026
- **Affected Organization:** Infinite Campus
- **Sector:** Education Technology (EdTech) / K-12
- **Geography:** United States (Targeted operations noted in North Carolina)
## Timeline of Events
### Initial Access
- **Date/Time:** Wednesday, March 18, 2026 (Afternoon)
- **Vector:** Credential compromise of a single employee account.
- **Details:** An unauthorized actor gained access to an Infinite Campus employee’s Salesforce account, which is used for client support and internal ticketing.
### Lateral Movement
- **Details:** The threat actor navigated within the Salesforce instance; however, there is currently no evidence of lateral movement from the Salesforce environment into the primary student databases or production SIS infrastructure.
### Data Exfiltration/Impact
- **Details:** ShinyHunters acquired data from the Salesforce instance. This included names and contact information for school staff (directory info). Investigation is ongoing to determine if sensitive information was contained within support tickets.
### Detection & Response
- **Detection:** Infinite Campus IT and Security teams detected the intrusion on the same day it occurred.
- **Response:** The compromised account was immediately disabled. The company initiated a forensic scan of all Salesforce data and proactively disabled certain services for customers lacking IP restrictions.
## Attack Methodology
- **Initial Access:** Compromised employee credentials.
- **Persistence:** Not specified; account was disabled shortly after detection.
- **Privilege Escalation:** Not reported.
- **Defense Evasion:** Not reported.
- **Credential Access:** Likely phishing or credential harvesting targeting an employee.
- **Discovery:** ShinyHunters identified the Salesforce instance as a repository for client data.
- **Lateral Movement:** Limited to the Salesforce environment.
- **Collection:** Gathering data from internal support tickets and client contact lists.
- **Exfiltration:** Data pulled from the Salesforce cloud environment.
- **Impact:** Temporary service disruption for clients without IP restrictions and potential exposure of staff contact data.
## Impact Assessment
- **Financial:** Not yet disclosed; costs associated with forensic investigation and remediation are expected.
- **Data Breach:** Exposure of staff directory information and historical support tickets. No student databases were breached.
- **Operational:** Intentional service disruptions caused by Infinite Campus as a security precaution for clients without IP filtering.
- **Reputational:** Significant concern within the K-12 sector following high-profile EdTech breaches; mitigated by rapid transparent communication.
## Indicators of Compromise
- **Network indicators:** None provided in the public bulletin.
- **File indicators:** None provided.
- **Behavioral indicators:** Unusual login activity on a specific Salesforce employee account on 03/18/2026.
## Response Actions
- **Containment:** Disabled the compromised Salesforce account immediately upon detection.
- **Eradication:** Account remediation and scanning of the Salesforce instance for sensitive data.
- **Recovery:** Reactivation of services for customers once security parameters (like IP restrictions) were verified or addressed.
## Lessons Learned
- **Sensitive Data in Tickets:** Customers may inadvertently include sensitive student data or credentials in support tickets, creating a secondary risk profile for support platforms.
- **Speed of Disclosure:** Rapid detection and notification (within days) significantly reduced panic and allowed districts to monitor their own environments.
- **Environment Isolation:** The separation between the support ticketing system (Salesforce) and the student information system (SIS) effectively contained the breach.
## Recommendations
- **Enforce MFA:** Ensure Multi-Factor Authentication is mandatory for all employee accounts, especially those accessing SaaS platforms like Salesforce.
- **IP Whitelisting:** Implement IP address restrictions for all administrative and support services to prevent access from unauthorized locations.
- **Data Sanitization:** Train staff and clients to never include passwords or PII (Personally Identifiable Information) in support tickets.
- **Regular Audits:** Periodically scan support databases for accidentally uploaded sensitive files or credentials.