The ShinyHunters extortion gang stole personal information from more than 137,000 school staff accounts in a Salesforce data theft attack that targeted the widely used Infinite Campus K-12 student information system in March.
Infinite Campus is an education technology (EdTech) company that provides a student information system (SIS) to over 3,200 school districts across the United States, managing data for 11 million students in 46 states.
Although it didn't attribute the incident to a specific hacking group when it notified customers of the breach in March, Infinite Campus described the attacker as "part of a group known for targeting the Salesforce accounts of hundreds of companies."
Infinite Campus also told affected customers that the exposed data contained the names and contact details for school staff and other publicly available information, but added that it had no evidence that customer databases were compromised.
"Their target was the Infinite Campus Salesforce instance, consisting of names and contact information for school staff; the majority is directory information commonly found on school websites," it said.
While Infinite Campus didn't share further details about the attack, the ShinyHunters data extortion group claimed responsibility for the breach on its data leak site and leaked a 1.2GB archive of documents allegedly containing Salesforce records with personally identifiable information (PII) and other internal corporate data.
Infinite Campus on ShinyHunters data leak site (BleepingComputer)
Data breach notification service Have I Been Pwned analyzed the leaked data and said today that the breach has exposed data from 137,100 accounts, including unique names, email addresses, employers, job titles, phone numbers, physical addresses, usernames, and support tickets.
"The group subsequently published data they alleged was taken from Infinite Campus, containing 137k unique email addresses along with names, phone numbers, physical addresses and support tickets," Have I Been Pwned said.
"Infinite Campus subsequently sent notifications, advising that the exposed data largely consisted of 'names and contact information for school staff' and that 'the majority is directory information commonly found on school websites'."
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now
<small>Source: Bleeping Computer</small>
