Salesforce Breach Exposed 137,000 Staff Records

A data breach affecting education technology provider Infinite Campus has exposed the personal information of more than 137,000 school staff members.

The incident occurred after threat actors allegedly compromised the company’s Salesforce environment and leaked stolen records online.

“The group subsequently published data they alleged was taken from Infinite Campus, containing 137k unique email addresses along with names, phone numbers, physical addresses and support tickets,” data breach notification service Have I Been Pwned (HIBP) said in its analysis of the leaked data.

Key takeaways of the Infinite Campus incident

• Infinite Campus says the incident targeted its Salesforce environment, not its student information databases.
• The breach exposed personal and contact information tied to approximately 137,000 school staff accounts.
• ShinyHunters claimed responsibility and allegedly leaked a 1.2 GB archive of Salesforce records and internal data.
• Although student records were not compromised, the exposed data could support phishing and social engineering campaigns.
• The incident underscores the growing security risks of SaaS platforms and third-party vendors in education.

Inside the Infinite Campus incident

As BleepingComputer reported, the incident highlights the growing cybersecurity risks facing schools and other educational institutions that rely heavily on third-party cloud platforms to manage sensitive operational data.

Infinite Campus is one of the largest student information system (SIS) providers in the United States, serving more than 3,200 school districts across 46 states and supporting approximately 11 million students.

As educational institutions increasingly rely on cloud-based services, attacks against third-party vendors can expose thousands of customers to risk, even when the schools’ core systems remain secure. According to Infinite Campus, the attack targeted the company’s Salesforce environment rather than its student information databases.

The organization stated that the exposed information primarily consisted of school staff names and contact details, much of which is publicly available through school directories and websites. However, the breach still impacted more than 137,000 accounts, underscoring the security risks of SaaS applications.

ShinyHunters claims responsibility

The ShinyHunters extortion group has claimed responsibility and leaked a 1.2 GB archive of alleged Salesforce records and internal data.

Have I Been Pwned (HIBP) found the leaked data included names, email addresses, phone numbers, usernames, physical addresses, and support ticket information from approximately 137,100 accounts.

Potential risks from the exposed data

Although no student records were compromised, the leaked data could help attackers conduct phishing and social engineering campaigns.

Infinite Campus has already notified those impacted by the incident.

Must-read security coverage

How to reduce third-party security risks

As educational organizations continue relying on third-party services, security teams should layer controls and conduct continuous third-party risk assessments.

• Enforce phishing-resistant MFA and strong conditional access policies for all privileged accounts.
• Review user, service account, and third-party application permissions regularly and apply least-privilege access controls.
• Audit OAuth integrations and remove unnecessary or excessive third-party access to SaaS platforms.
• Monitor SaaS environments for suspicious activity, unusual logins, unauthorized data exports, and signs of account compromise.
• Enable centralized logging, data loss prevention (DLP), and continuous security monitoring to improve threat detection and response.
• Conduct regular third-party risk assessments and evaluate the security practices of vendors that handle sensitive data.
• Test incident response plans through tabletop exercises and ensure SaaS-related breach scenarios are included in response procedures.

For security teams, the Infinite Campus incident serves as another reminder that SaaS platforms and third-party providers have become critical components of the enterprise attack surface.

Even when core systems and sensitive customer data remain untouched, compromised cloud environments can expose valuable information that fuels phishing, social engineering, and other follow-on attacks.

Editor’s note: This article originally appeared on our sister publication, eSecurityPlanet.