Infinite Campus Breach: 137K Staff Members Exposed (2026)

Overview

In March 2026, the student information system Infinite Campus was targeted in a “pay or leak” extortion campaign by the threat group ShinyHunters. The group subsequently published data they alleged was taken from Infinite Campus, containing 137,123 unique email addresses alongside names, phone numbers, physical addresses, and support ticket details. Infinite Campus sent notifications to affected parties, stating that the exposed data largely consisted of “names and contact information for school staff” and that “the majority is directory information commonly found on school websites.” The breach was reported to Have I Been Pwned, where users can check if their data was compromised. This incident underscores the vulnerability of educational systems that hold vast amounts of personal data on both staff and students.

What Was Exposed

The exposed data includes email addresses, names, phone numbers, physical addresses, and support ticket details. While Infinite Campus has characterized this as “directory information,” the inclusion of support tickets is particularly concerning. Support tickets often contain internal correspondence about system issues, user complaints, or requests for help that may reveal passwords, security configurations, or other sensitive details. Even if the data is considered low-risk individually, the combination of identifiers — name, address, phone, and email — can be used for targeted phishing campaigns against school staff. Attackers can craft convincing emails that reference real school operations or even impersonate IT support based on ticket details.

How the Breach Happened

ShinyHunters is a well-known threat actor group notorious for extorting companies by threatening to leak stolen data unless a ransom is paid. In this case, they alleged to have accessed Infinite Campus systems and exfiltrated records before making their demands public. While Infinite Campus has not disclosed the exact entry point, such attacks often exploit weak credentials, unpatched vulnerabilities, or third-party integrations. Given the sensitive nature of student information systems, this breach highlights the need for robust access controls and continuous monitoring. The group has a history of targeting education technology firms, suggesting they view these organizations as soft targets with valuable data and limited cybersecurity resources.

What to Do Right Now

If you are a school staff member whose information may be involved, take these steps:

• Check Have I Been Pwned: Visit haveibeenpwned.com and search for your email address to see if it appears in this breach.
• Be wary of phishing: Attackers may use the exposed data to send targeted emails that appear to come from your school district or IT department. Do not click links or download attachments unless you verify the sender through a separate channel.
• Monitor for unusual activity: Keep an eye on your phone for spam calls or text messages, and watch for physical mail that seems suspicious. Your address and phone number are now in the hands of a threat actor.
• Update passwords: If you use the same password for your Infinite Campus account as other services, change it immediately. Enable two-factor authentication wherever possible.

How to Check If You’re Affected

The easiest way to verify if your data was part of this breach is to use the Have I Been Pwned service. Visit the Infinite Campus breach page on HIBP and enter your email address. The site will tell you if your email appears in the leaked data. Note that the breach includes staff contact information, not student data, but the risk to those staff members is real. If your email is listed, consider it compromised and take the precautions above.

Security Insight

This breach demonstrates a recurring problem in the education technology sector: the assumption that “directory information” is harmless. While names and contact details may be public, their aggregation in a single leak enables sophisticated social engineering that would not be possible with scattered public data. Infinite Campus’s response downplaying the risk is a telltale sign of security theater — treating data as low-risk because it’s technically public, rather than evaluating it in the hands of a motivated attacker.

Further Reading

• All High Breaches
• Recent Data Breaches