Yes — Infinite Campus (infinitecampus.com) was breached. The K–12 student information system (SIS) vendor now appears on Have I Been Pwned with 137,123 accounts from a March 2026 ShinyHunters “pay or leak” extortion campaign.
HIBP added the breach on June 15, 2026. Published data allegedly includes email addresses, names, phone numbers, physical addresses, and support tickets — largely reflecting school staff directory information, according to Infinite Campus notifications cited by HIBP.
We scanned infinitecampus.com to assess email and domain security posture relevant to districts across Texas and nationwide.
What Happened
According to Have I Been Pwned:
- March 2026 — ShinyHunters targeted Infinite Campus in a pay-or-leak extortion campaign.
- The group published data it claimed was taken from the company’s systems.
- 137,123 unique email addresses were exposed, along with names, phone numbers, physical addresses, and support tickets.
- Infinite Campus notified affected parties, advising that exposed data largely consisted of school staff names and contact information — much of it directory data commonly published on district websites.
- HIBP added the breach on June 15, 2026.
Infinite Campus serves hundreds of school districts nationwide. Even “directory” staff data combined with support tickets can fuel spear-phishing against principals, registrars, and IT admins with SIS access.

Breach Impact at a Glance
| Field | Detail |
|---|---|
| Victim | Infinite Campus (infinitecampus.com) |
| Sector | K–12 student information systems (edtech) |
| Threat actor | ShinyHunters |
| Accounts affected | 137,123 |
| Breach period | March 2026 |
| Added to HIBP | June 15, 2026 |
| Data types | Emails, names, phones, addresses, support tickets |
| Primary exposure | School staff directory & contact info |
Data at Risk
Exposed records may include:
- School staff email addresses and phone numbers
- Names and physical addresses for district employees
- Support tickets that may reference district-specific technical issues
- Contact graphs linking Infinite Campus support staff to district IT admins
Texas districts should treat this as a supply-chain exposure — compromised vendor contact data can precede phishing against district SIS administrators. See our Texas ISD ransomware tracker.

Independent Cybersecurity Audit
We ran an EmailMeNow Cybersecurity Audit of infinitecampus.com on July 5, 2026:
| Domain | Overall | Identity | Transport | Website | Risk |
|---|---|---|---|---|---|
| infinitecampus.com | 50% | 5% | 15% | 92% | Average |
Key findings:
- 50% overall (Average) — below the 100% ideal for an edtech vendor holding district relationship data.
- 5% Identity & Spoofing — critically weak DMARC/SPF posture; spoofed
@infinitecampus.compassword-reset and support messages are far easier to deliver to district staff. - 15% Transport Security — no effective MTA-STS enforcement or TLS-RPT reporting.
- 92% Website Security — strong public-site headers, but email identity failure is the dominant gap.
For Texas ISDs relying on Infinite Campus, 5% identity spoofing on the vendor domain is a serious post-breach concern — attackers with staff emails can pair them with convincing forged vendor messages.
Audit link: infinitecampus.com audit
Priority Actions
For district IT and school staff:
- Verify Infinite Campus support requests through official portal login — not embedded email links.
- Alert registrars and counselors to watch for spoofed SIS password-reset messages.
- Review Texas ISD ransomware tracker and government & education breaches.
For edtech vendors:
- Deploy DMARC
p=rejecton all customer-facing mail domains immediately. - Audit Salesforce integrations, API tokens, and admin MFA — the common ShinyHunters entry path in this wave.
Sources: HIBP — Infinite Campus · EmailMeNow audit — infinitecampus.com