A massive cyber extortion campaign continues to sweep through the education technology (EdTech) sector. The ShinyHunters campaign has struck again, with the threat group claiming responsibility for a major data breach at Infinite Campus.
The threat group known as ShinyHunters has officially claimed responsibility for a data breach at Infinite Campus, a widely used K-12 student information system that manages data for 11 million students across 46 states. The incident, which stems from a targeted attack on the company’s Salesforce environment, has exposed the personal information of over 137,000 school staff accounts.
This breach is a direct continuation of the broader ShinyHunters campaign we covered in our previous analysis of how ShinyHunters breached Canvas.
Here is what happened in the latest incident, why ShinyHunters is hyper-focused on this sector, and what organizations must do to secure their third-party integrations amid the ongoing ShinyHunters campaign.
What Happened in the Infinite Campus Breach?
According to details analyzed by BleepingComputer and security researchers at Have I Been Pwned, ShinyHunters targeted the cloud-based Salesforce instance used by Infinite Campus as part of the ShinyHunters campaign.
While the company’s core student databases remain uncompromised, the hackers managed to exfiltrate a 1.2GB archive of internal documents and corporate records. The leaked data includes:
- Unique names and email addresses
- Physical addresses and phone numbers
- Job titles and employer details
- Internal support tickets and usernames
While Infinite Campus noted that much of this involves “directory information commonly found on school websites,” the aggregation of this data into a single, malicious database changes the threat equation entirely. This tactic is typical of the ShinyHunters campaign, turning publicly available fragments into powerful weapons for further attacks.
The ShinyHunters Campaign Playbook: Weaponizing the Supply Chain
ShinyHunters isn’t a new threat actor, but their recent focus on enterprise SaaS (Software-as-a-Service) environments like Salesforce represents a highly calculated shift in the ShinyHunters campaign.
Rather than wasting time trying to crack the hardened perimeter of an individual school district or corporation, they strike the central hub. By compromising the third-party providers that thousands of institutions trust, a single breach yields data on hundreds of thousands of targets simultaneously.
In this ShinyHunters campaign, the downstream risk isn’t necessarily a massive infrastructure shutdown—it is a wave of hyper-targeted, secondary attacks. Equipped with real names, phone numbers, exact job titles, and historical support tickets, attackers can craft flawless phishing pretexts. A school administrator receiving an email that references a real, historical support ticket from Infinite Campus is highly likely to click a malicious link or hand over login credentials. This approach significantly increases the success rate of follow-on social engineering attacks.
The Downstream Threat
The real danger of the ShinyHunters campaign lies in how the stolen data is weaponized. With detailed staff information in hand, threat actors can launch highly personalized phishing campaigns that appear legitimate. These attacks often reference specific internal matters, making them extremely difficult for even cautious users to spot. As the ShinyHunters campaign continues, education institutions and their vendors must assume that their staff will face increased targeting in the coming weeks and months.
Hardening Your SaaS and Third-Party Cloud Environments
The Infinite Campus and Canvas breaches demonstrate that securing your own network is no longer enough; you have to secure your integrations. At Black Belt Secure, we recommend four immediate defensive steps for organizations navigating this ShinyHunters campaign:
- Audit Third-Party API Permissions: Review what access tokens and API keys your external platforms hold. If an EdTech or SaaS vendor is breached, revoking and rotating those keys immediately prevents attackers from pivoting into your environment.
- Enforce Multi-Factor Authentication (MFA) Everywhere: Ensure that administrative accounts on platforms like Salesforce require robust MFA—ideally phishing-resistant methods like FIDO2/WebAuthn keys—to block credential stuffing attacks.
- Implement Advanced Phishing Defenses: Expect an increase in sophisticated social engineering attempts targeting your staff. Deploy behavioral-based email security tools that flag anomalies in email headers and communication patterns, rather than relying solely on static blocklists.
- Conduct SaaS Configuration Reviews: Cloud platforms are highly customizable, which often leads to configuration drift and accidental exposure. Regularly review the access controls, sharing rules, and public-facing endpoints of your CRM and ERP systems to reduce risk.
Stay Ahead of the Campaign with Black Belt Secure
The education and public sectors remain top-tier targets for extortion groups because of the vast amounts of aggregated data they handle and the complexity of their software supply chains. The ShinyHunters campaign is far from over, and understanding your exposure is the first step toward defense.
At Black Belt Secure, we specialize in supply chain risk assessments, cloud security configurations, and proactive threat hunting. Let us help you verify that your third-party integrations are assets to your organization—not liabilities. Our team can help map potential weak points in your EdTech ecosystem and strengthen defenses against the evolving ShinyHunters campaign and similar threats.
Reach out to our security team today to discuss how we can secure your perimeter and protect your staff from sophisticated phishing campaigns.