What happened
Infinite Campus, a major U.S. K-12 student information system provider, warned customers of a security incident after attackers gained access to an employee’s Salesforce account, exposing limited data primarily consisting of contact and directory-style information. The notification followed claims by the ShinyHunters extortion group, which listed the company on its dark web leak site and threatened to release allegedly stolen data if ransom demands were not met. The company said it detected suspicious activity on March 18, 2026, quickly disabled the affected account, and launched an investigation, adding that there is no evidence customer databases or student records were accessed.
Who is affected
School staff and contacts whose information was stored in the affected Salesforce environment are impacted, while student data and core customer systems were not accessed, according to the company’s findings.
Why CISOs should care
The incident highlights ongoing attacks against SaaS platforms like Salesforce, where compromising a single employee account can expose organizational data and trigger extortion attempts without exploiting software vulnerabilities.
3 practical actions
Secure SaaS accounts with phishing-resistant MFA. Attacks targeting platforms like Salesforce often rely on credential compromise.
Monitor for abnormal account activity. Detect unusual access patterns tied to employee accounts handling sensitive data.
Prepare for extortion scenarios. Threat groups like ShinyHunters frequently use “pay-or-leak” tactics after gaining access.
For more coverage of major security incidents affecting organizations worldwide, explore our reporting on Data Breaches.