Infinite Campus, a student information system, had data on approximately 137,000 accounts stolen and published by the ShinyHunters group in March 2026 following an extortion campaign.
What happened
According to HIBP and reporting by BleepingComputer, in March 2026 the ShinyHunters threat group targeted Infinite Campus with a "pay or leak" extortion campaign. After the company did not comply, the group published data they claimed was taken from Infinite Campus.
What was exposed
According to HIBP, the published data included email addresses, names, phone numbers, physical addresses, support tickets, usernames, employers, and job titles across roughly 137,000 accounts. Infinite Campus subsequently notified affected parties, stating the exposed data largely consisted of names and contact information for school staff, and that most of it is directory-level information commonly found on school websites.
Who is affected
Reported by HIBP, the approximately 137,000 affected accounts are primarily school staff associated with districts and schools that use the Infinite Campus student information system.
What to do now
If you are a school staff member who uses Infinite Campus, monitor for phishing emails or unsolicited calls using your contact details. Review any support tickets you may have submitted for sensitive information. Consider updating your Infinite Campus password and enabling any available multi-factor authentication. Be alert to social engineering attempts that reference your employer or job title.