Infinite Campus ShinyHunters Breach K-12 Platform Serving 11M Students via 10-Minute Vishing Attack

• .What: Voice phishing (vishing) attack targeting an employee's Salesforce credentials via a fake login page with real-time MFA bypass, enabling export of Salesforce customer directory data.
• .Who: Infinite Campus, Inc. (Blaine, Minnesota; ~$118M revenue FY2026; 650+ employee-owners; founded 1993 by Charlie Kratsch). Serves 3,200+ K-12 school districts managing data for 11 million students across 46 states.
• .How: Attacker impersonated IT support via phone (vishing), directed offsite employee to credential harvesting page mimicking the legitimate login portal, captured credentials and MFA codes in real time. Gained authenticated Salesforce access and began bulk-exporting contact directory reports.
• .Data (confirmed by Infinite Campus): Names and contact information for school staff members - described as "directory information commonly found on school websites."
• .Data (claimed by ShinyHunters): Salesforce records containing PII and "various internal corporate data." No samples published. No independent verification.
• .Actor: ShinyHunters (Google Threat Intelligence: UNC6040/UNC6240/UNC6395). Part of the Scattered LAPSUS$ Hunters (SLH) collective. Part of a broader Salesforce vishing campaign that has compromised 760+ organizations since 2025.
• .Impact: Extortion demand refused. No data published as of March 31 (6 days past deadline). Two class action investigations opened. Customers without IP restrictions had services temporarily disabled. North Carolina Department of Public Instruction issued advisories to school districts statewide.

Infinite Campus is a privately held education technology company founded in 1993 by Charlie Kratsch and headquartered in Blaine, Minnesota.

It is the largest privately held K-12 student information system (SIS) provider in the United States, competing with PowerSchool (which went public in 2021 and was itself breached in December 2024), Skyward, and Tyler Technologies.

The platform manages student enrollment, grades, attendance, scheduling, health records, IEP/special education data, behavior records, parent contact information, and state reporting for 3,200+ school districts across 46 states.

The company reported approximately $118 million in revenue for FY2026 and employs 650+ employee-owners. Infinite Campus uses Salesforce as its internal case management and customer support ticketing system - distinct from the student information system database.

On the afternoon of Wednesday, March 18, 2026, a ShinyHunters operator called an offsite Infinite Campus employee by phone, impersonating IT support.

, the employee fell for the social engineering and entered credentials into a fake login page - a credential harvesting site designed to capture both the username/password and the MFA code in real time.

This is ShinyHunters' signature technique: a human-operated phishing panel where an attacker controls what the victim sees while simultaneously relaying intercepted credentials and MFA tokens to authenticate on the legitimate service.

, the attacker had used the captured credentials to authenticate into Infinite Campus's Salesforce instance and began exporting customer directory reports containing names and contact information for school district staff. By 2:48 p.m.

- just ten minutes after the initial vishing call - Infinite Campus IT and security teams had flagged the suspicious activity, blocked the impostor website, and disabled the compromised Salesforce account. The attacker was locked out.

On March 22, ShinyHunters posted a claim on their Tor-based extortion site alleging they had breached Infinite Campus and stolen company data.

The post included a "final warning" demanding the company initiate contact and negotiate a ransom by March 25, 2026, or face a full data leak: "This is a final warning to reach out by 25 Mar 2026 before we leak along with several annoying (digital) problems that'll come your way.

On March 24, Infinite Campus CEO Charlie Kratsch sent a notification to customers disclosing the incident and detailing the company's response.

The notification confirmed the breach was limited to the Salesforce instance and stated that no customer databases, no student information system data, and no student records were accessed.

" As a precaution, Infinite Campus temporarily disabled certain customer-facing services for customers lacking IP address restrictions, to reduce potential exposure if sensitive data had been shared through support communications.

" The company initiated a comprehensive scan of all Salesforce data with the assistance of security partners and began contacting affected school districts with specific guidance.

ShinyHunters confirmed to DataBreaches.net that it was "just the Salesforce data" that was compromised and acquired, and that no student or employee databases were involved - a rare instance of a threat actor corroborating a victim's damage assessment.

As of March 31, 2026 - six days past the March 25 extortion deadline - ShinyHunters has not published the allegedly stolen data and no data samples have been released.

ShinyHunters is tracked by Google Threat Intelligence as UNC6040 (initial access/social engineering), UNC6240 (extortion), and UNC6395 (supply chain operations).

The group formed the Scattered LAPSUS$ Hunters (SLH) collective with Scattered Spider and LAPSUS$ in August 2025 - assessed by LevelBlue as a federated ecosystem where several players collaborate and share infrastructure while retaining operational autonomy.

The Infinite Campus breach is part of ShinyHunters' systematic Salesforce vishing campaign, which Google and Mandiant have described as among the largest SaaS compromise operations in history. The campaign operates in two tracks:

Track 1 - Vishing/credential theft (UNC6040): Since mid-2025, ShinyHunters has impersonated IT support via phone calls, directing targets to credential harvesting pages that capture SSO credentials and MFA codes in real time.

Silent Push identified approximately 150 malicious domains targeting Okta SSO portals in January 2026 alone.

Confirmed victims include Odido (6.2M subscribers), Figure Technology (967K accounts), Panera Bread (5.1M), CarGurus (12.4M), SoundCloud (29.8M), Harvard, UPenn, Match Group, Canada Goose, Allianz Life, and LVMH.

Track 2 - Supply chain/OAuth abuse (UNC6395): Between March-June 2025, ShinyHunters compromised Salesloft's GitHub, pivoted to Drift's AWS, and stole OAuth tokens for 760 Salesforce customer integrations.

This enabled the TELUS Digital breach (1PB claimed, $65M ransom) and cascading compromise of hundreds of organizations.

In March 2026 alone, ShinyHunters claimed breaches against TELUS Digital (1PB, March 12), Figure Technology (967K, January 28/published February 13), Infinite Campus (March 18), Ameriprise Financial (200GB, March 22), the European Commission (350GB AWS, March 24), Crunchyroll (6.8M via TELUS/Okta), Aura (900K), and Woflow (Walmart, DoorDash, Uber data).

The group's ransom demands have ranged from EUR 500,000 (Odido, reduced) to $65 million (TELUS Digital), with typical demands of 4-20 BTC and 3-4 day deadlines per Mitiga reporting.

Key arrests have not dismantled operations. Sebastien Raoult received three years plus $5M restitution (January 2024). Matthew D. Lane (19) pleaded guilty to the PowerSchool hack (June 2025).

Four French affiliates were arrested in June 2025. IntelBroker was arrested in France in February 2025. Core leadership remains operational.

Confirmed by Infinite Campus:

• .Names and contact information (email addresses, phone numbers) for school district staff members - described as "directory information commonly found on school websites."

Confirmed by ShinyHunters (to DataBreaches.net):

• .Salesforce records only. No student databases. No employee databases.

Claimed by ShinyHunters (unverified):

• .Salesforce records containing "personally identifiable information" and "various internal corporate data."
• .No data samples have been published. No independent verification exists.

NOT compromised (per Infinite Campus investigation and ShinyHunters' own confirmation):

• .Student records (grades, attendance, health, IEP/special education, behavior)
• .Parent/guardian PII
• .Customer databases (the SIS platform itself)
• .Social Security numbers
• .Financial information

Context: Infinite Campus's Salesforce instance is a customer support and case management system, separate from the student information system database that houses the sensitive education records for 11 million students.

The 10-minute attack window significantly limited the data that could be exported. " Infinite Campus's decision to temporarily disable services for customers without IP restrictions suggests the company recognized this risk.

1. Vishing defeated employee training. A single phone call impersonating IT support was sufficient to convince an offsite employee to enter credentials into a fake login page.

Social engineering awareness training existed (as it does at most organizations), but awareness did not translate into a behavioral control capable of preventing real-time credential relay.

The attacker followed ShinyHunters' established playbook: call an employee, claim the company is updating MFA settings, direct them to a convincing phishing page.

2. MFA bypassed via real-time credential relay. MFA was deployed but was not phishing-resistant.

The attacker operated a live phishing panel - a human-operated toolkit that intercepts credentials and MFA codes as the victim enters them and replays them to the legitimate service in real time. This defeats SMS codes, TOTP authenticator apps, and push notifications.

Only FIDO2/WebAuthn hardware security keys are immune to this attack class because the authentication is cryptographically bound to the legitimate domain - a phishing page cannot intercept what it cannot relay.

3. No IP allowlisting on Salesforce administrative access. The attacker authenticated to Salesforce from an unauthorized IP address.

Infinite Campus's own response - temporarily disabling services for customers "without IP address restrictions" - confirms that IP allowlisting was not universally enforced.

If Salesforce login had been restricted to corporate IP ranges or VPN endpoints, the stolen credentials would have been useless from the attacker's infrastructure.

4. Salesforce data export without secondary authorization. Once authenticated, the attacker was able to begin exporting customer directory reports within minutes. No secondary approval workflow, no data export rate limiting, and no DLP inspection prevented the bulk export.

Salesforce provides native controls for restricting report export permissions and limiting data export to specific roles - these were either not configured or insufficiently restrictive.

5. Rapid detection, effective containment. To Infinite Campus's credit: the attack was detected within 10 minutes, the compromised account was disabled, the phishing site was blocked, and the attacker was ejected. This is significantly faster than industry benchmarks.

However, the damage was done within that window. Automated controls - not human response speed - are required to prevent exfiltration in attacks measured in minutes rather than hours.

Threat Actor:

• .ShinyHunters (UNC6040/UNC6240)
• .Part of Scattered LAPSUS$ Hunters collective

Attack Vector:

• .Voice phishing (vishing) targeting offsite employee
• .Credentials and MFA captured via live phishing panel
• .Gained access to Salesforce instance

Timeline:

• .2:38 PM: Employee falls for vishing call
• .2:44 PM: Attacker authenticated into Salesforce
• .2:48 PM: IT blocked impostor site and disabled account
• .10-minute active attack window

Extortion:

• .March 22: Claim posted with March 25 deadline
• .No data published as of March 31 (6 days past deadline)

• .FERPA (20 U.S.C. § 1232g) - Infinite Campus operates as a "school official" under FERPA through its data processing agreements with school districts. If the Salesforce instance contained any education records or PII from education records shared in support cases, FERPA's disclosure restrictions apply. FERPA itself does not mandate direct breach notification to parents, but it does require the educational agency to maintain a record of each disclosure. Critically, FERPA liability falls on the school district, not the vendor - making Infinite Campus's rapid notification and damage assessment essential for districts' own compliance.

• .State Student Privacy Laws - At least 46 states have enacted student data privacy statutes or incorporated student data protections into existing privacy law. Specific obligations triggered include: California (SOPIPA - prohibits commercial use of student data; AG notification required for breaches affecting 500+ residents); Illinois (SOPPA/ISSRA - private right of action for student privacy violations); New York (Education Law 2-d - mandatory Parents' Bill of Rights, AG notification regardless of breach size); Texas (Texas Education Code § 32.151-32.157 - ed-tech vendor security obligations); Colorado (Student Data Transparency and Security Act); and Minnesota (Infinite Campus's home state - Minnesota Government Data Practices Act, Minn. Stat. § 13.32 for student data).

• .COPPA (Children's Online Privacy Protection Act, as amended June 2025) - Applies to children under 13. A significant portion of K-12 students served by Infinite Campus are elementary school students under 13. If any data from children under 13 was in the Salesforce instance, the FTC's updated COPPA Rule (effective June 23, 2025; compliance deadline April 22, 2026) imposes enhanced data security obligations. Penalty: up to $53,088 per violation (adjusted for inflation).

• .State Breach Notification Laws - All 50 states have breach notification statutes. Exposure of staff PII (names, email addresses, phone numbers) triggers notification obligations in most states, though thresholds vary. Since Infinite Campus serves districts in 46 states, the company faces a patchwork of notification requirements with varying timelines (typically 30-60 days) and AG notification thresholds.

• .FTC Act Section 5 - Unfair or deceptive trade practices. If Infinite Campus's contractual security representations to school districts were not met, the FTC could pursue enforcement. The FTC has historically prioritized cases involving children's data.

• .Contractual and Tort Liability - Infinite Campus's data processing agreements with school districts carry a $1 million+ cyber-liability insurance policy. However, the class action investigations by Migliaccio & Rathod LLP and Shamis & Gentile P.A. indicate potential claims may exceed policy limits if the scope of exposed data is broader than currently disclosed.

The following gaps exist in the public record for this incident:

1. The exact data exported during the 10-minute attack window has not been itemized by Infinite Campus or its forensic partners.

The company describes "names and contact information for school staff" but has not confirmed whether Salesforce support tickets - which may contain credentials, system configurations, internal communications, or fragments of education records - were among the exported data.

2. Whether Salesforce support cases contained any student PII or education record fragments (shared by school districts in support tickets) has not been addressed.

If a school district shared student records through a support case, those records would reside in the Salesforce instance the attacker accessed.

3. The specific method by which the attacker obtained the employee's phone number and knew they were an Infinite Campus employee has not been disclosed.

ShinyHunters' Salesforce campaign typically uses data harvested from prior breaches to build target lists for follow-on vishing - whether data from a prior ShinyHunters breach (e.g., Salesloft Drift) was used to identify and target Infinite Campus employees is unconfirmed.

4. ShinyHunters' claim of "various internal corporate data" beyond directory information has not been verified or refuted by independent forensic analysis.

The claim could represent exaggeration to increase extortion leverage, or it could indicate access to Salesforce objects beyond the customer contact directory.

5. Whether ShinyHunters will ultimately publish the data remains unknown as of March 31. The group's track record is mixed: they published Odido's full dataset after ransom refusal, published Figure Technology's data after ransom refusal, but have not yet published Infinite Campus data six days past their own deadline.

The relatively limited scope of confirmed data (staff directory information) may explain the delay - the data's extortion value is low if it is indeed publicly available directory information.

6. The exact number of school districts whose staff data was exported has not been disclosed by Infinite Campus.

7. Whether the vishing call used information from a prior breach to build credibility (e.g., referencing the employee's role, internal systems, or colleagues by name) has not been disclosed.

ShinyHunters' vishing operations typically incorporate reconnaissance data from prior compromises to increase social engineering success rates.

1. Deploy Phishing-Resistant MFA (FIDO2/WebAuthn Hardware Security Keys) for All Employees with Salesforce or SIS Access. The vishing attack succeeded because MFA was bypassable via real-time credential relay.

FIDO2 hardware keys (YubiKey, Google Titan) are cryptographically bound to the legitimate domain origin - a phishing page at a fake domain cannot intercept or relay the authentication challenge.

Google eliminated account takeovers entirely after mandating hardware keys for all employees. This single control would have prevented the Infinite Campus breach.

2. Enforce IP Allowlisting and Conditional Access on Salesforce. Restrict Salesforce login to corporate IP ranges, VPN endpoints, or managed devices via Salesforce Login IP Ranges and Trusted IP Ranges.

Combined with Salesforce Shield Event Monitoring, this ensures that even valid credentials cannot authenticate from attacker infrastructure. Infinite Campus acknowledged this gap by retroactively disabling services for customers without IP restrictions.

3. Implement Data Export Controls and DLP on Salesforce. Configure Salesforce to require secondary authorization for bulk report exports and data downloads. Enable Salesforce Shield Event Monitoring to detect and alert on anomalous export activity in real time.

Restrict report export permissions to specific roles and enforce export rate limits.

The attacker was able to begin exporting customer directory reports within minutes of authentication - automated DLP controls should have blocked or flagged this activity before the human response team intervened.

4. Mandate Out-of-Band Verification for IT Support Interactions. Establish a policy requiring employees to verify any unsolicited IT support call by hanging up and calling back on a verified internal IT number before entering credentials or approving MFA requests.

This callback verification procedure directly defeats vishing because the attacker cannot intercept a call initiated by the employee to a known-good number.

Salesforce published a security advisory on January 30, 2026 - 47 days before this breach - warning about this exact vishing campaign.

5. Segment and Minimize Salesforce Data. Audit the Salesforce instance for any data beyond its intended scope (support tickets containing credentials, configuration details, internal communications, or education record fragments).

Implement data minimization policies to ensure the customer support system contains only the minimum data necessary for its function.

The distinction between "directory information" and the full contents of a Salesforce CRM used for K-12 customer support is critical - support cases may contain sensitive information that the term "directory data" does not capture.

6. Conduct K-12 Vendor Security Assessments. School districts should require evidence of phishing-resistant MFA, IP-restricted access, data export controls, and incident response capabilities from all ed-tech vendors holding student or staff data.

The 2024 PowerSchool breach and the 2026 Infinite Campus breach demonstrate that the K-12 ed-tech sector is systematically targeted, and vendor security assessments must move beyond checkbox compliance questionnaires to evidence-based validation.

BleepingComputer, Cybernews, TechRadar, DataBreaches.net, CyberInsider, Prism News, Security Boulevard, SC Media, UpGuard, RedPacket Security, K12TechPro, ClaimDepot, Migliaccio & Rathod LLP, Netcrook, Dark Web Informer, Orange County Schools (NC DPI), Privacy Guides, Rankiteo, Mitiga, Varonis, Google Cloud Blog (Mandiant), AppOmni, Infinite Campus (FERPA Policy), US Department of Education (PTAC), FTC (COPPA Rule 2025)