Data Breaches Bearish 8

ShinyHunters & FulcrumSec Ramp Up EdTech Attacks: 137K Accounts Stolen

· 4 min read ·
Share

Key Takeaways

  • Two major threat actor groups are driving a crisis in education technology, with ShinyHunters stealing 137,000 staff records via Infinite Campus and FulcrumSec paralyzing Global Schools Foundation.
  • The incidents reveal a shift in cybercriminal focus toward low-defence, high-value academic data repositories.

Mentioned

ShinyHunters threat-actor FulcrumSec threat-actor Resecurity company Infinite Campus company Global Schools Foundation organization Glendale Community College organization Moody Bible Institute organization Illinois Central College organization Houston City College organization Salesforce technology

Key Intelligence

Key Facts

  1. 1ShinyHunters announced new educational institution victims on June 16, 2026, including Glendale Community College and three others, adding to a pattern of EdTech targeting.
  2. 2A March 2026 Salesforce data theft by ShinyHunters compromised personal information from 137,000 school staff accounts within the Infinite Campus student information system, used by 3,200 U.S. districts serving 11 million students.
  3. 3FulcrumSec executed a ransomware attack on the Global Schools Foundation in early June 2026, resulting in data exfiltration and operational disruption across its international network of schools.
  4. 4Resecurity issued an industry-wide warning highlighting the education technology sector as a prime target for cybercriminals due to escalating attack sophistication and extortion tactics.
  5. 5The Infinite Campus breach exemplifies supply-chain vulnerability, as a single vendor compromise exposed data across thousands of school districts in 46 states.
EdTech Security Posture

Analysis

Cybersecurity professionals monitoring the education sector are witnessing a coordinated onslaught from two distinct threat actor groups: ShinyHunters, known for aggressive data exfiltration and auctioning compromised databases, and FulcrumSec, a ransomware operator crippling international institutions. The scale of the late-spring attacks—137,000 staff accounts from a single vendor and a multi-national school network brought offline—signals that the EdTech attack surface has expanded well beyond traditional ransomware into sophisticated supply-chain exploitation and persistent extortion. For threat intel teams, this is a call to map academic sector TTPs with renewed urgency.

The education technology sector is confronting a severe escalation in cyberattacks, marking a pivotal moment for K-12 districts, higher education, and the platforms that underpin digital learning. Two prominent threat actor groups, ShinyHunters and FulcrumSec, have executed high-impact breaches in 2026, exposing systemic vulnerabilities that extend far beyond individual institutions. On June 16, 2026, ShinyHunters disclosed a fresh wave of victims, including Glendale Community College, Moody Bible Institute, Illinois Central College, and Houston City College, underscoring the group's continued focus on academic targets. This announcement followed a far more extensive breach traced to March, where the same threat actors exploited a vulnerability in the Salesforce-powered back-end of Infinite Campus, a leading student information system. That single compromise exfiltrated personal data from 137,000 school staff accounts across the United States, potentially affecting the 11 million students whose records are managed by the platform in over 3,200 districts. Concurrently, FulcrumSec carried out a ransomware attack on the Global Schools Foundation, a multinational network headquartered in Singapore, in early June 2026, causing operational paralysis and extensive data exfiltration across multiple countries. The dual campaigns illustrate a strategic pivot by cybercriminals: EdTech is no longer a peripheral target but a central repository of sensitive personal, financial, and academic data, often guarded by under-resourced IT departments and aging infrastructure.

On June 16, 2026, ShinyHunters disclosed a fresh wave of victims, including Glendale Community College, Moody Bible Institute, Illinois Central College, and Houston City College, underscoring the group's continued focus on academic targets.

Industry context reveals why educational technology platforms have become such attractive prey. The rapid digitization of classrooms, accelerated by the COVID-19 pandemic and sustained by hybrid learning models, created an explosion of interconnected systems—learning management systems, student information systems, administrative portals, and cloud-based collaboration tools. Infinite Campus, for example, serves as a single source of truth for millions of students, aggregating grades, attendance, health records, and special education plans. The ShinyHunters breach targeting its Salesforce instance highlights the cascading risk of supply-chain attacks: one vendor compromise can ripple through thousands of downstream organizations. School districts, often bound by tight budgets and legacy procurement cycles, may lack the resources for advanced threat detection or zero-trust architectures, making them easy marks for credential theft and extortion. The FulcrumSec attack on GSF further demonstrates how international school networks, which consolidate data from geographically dispersed campuses, present a high-value target for ransomware gangs seeking maximum leverage. Such attacks often disrupt not just administrative functions but also classroom instruction, communication, and compliance with increasingly stringent data protection regulations.

What to Watch

The implications are multifaceted. For students and families, exposed data can include Social Security numbers, medical records, behavioral assessments, and even bus routing information, elevating the risk of identity theft, phishing, and physical safety concerns. For institutions, the fallout includes ransom demands, regulatory fines under FERPA or GDPR equivalents, reputational damage, and loss of trust that can undermine enrollment and funding. The economic impact on EdTech vendors themselves is also significant: a single breach can trigger class-action lawsuits, contractual penalties, and a flight of clients to competitors. The surge in attacks signals a broader shift toward monetizing educational data through dark web marketplaces, where ShinyHunters is known to sell or auction compromised databases. Meanwhile, the tactics used—business email compromise, exploited APIs, and ransomware-as-a-service—are evolving in sophistication, blending financial extortion with hacktivism or ideological motives. Resecurity’s warning, backed by threat intelligence, suggests the trend is accelerating as threat actors recognize the low barrier to entry and high potential payout within the sector.

Looking ahead, the EdTech cybersecurity crisis will likely intensify as the 2026-2027 academic year approaches, a period when schools onboard new students and systems become prime for exploitation. Expect increased regulatory scrutiny, with calls for mandatory cybersecurity standards for vendors serving K-12 and higher education. The Federal Trade Commission and Department of Education may enforce stricter data stewardship requirements, while insurance premiums for educational institutions could skyrocket. Technology providers will need to invest in hardened single-sign-on, multi-factor authentication, and real-time monitoring to restore confidence. The incidents also highlight the urgent need for cross-sector intelligence sharing between school IT consortia, cybersecurity firms, and law enforcement. Without collective action, the digital foundation of modern education risks becoming its greatest liability.

Timeline

Timeline

  1. ShinyHunters breaches Infinite Campus via Salesforce

  2. FulcrumSec ransomware attack on Global Schools Foundation

  3. ShinyHunters announces additional victims

Cite This Page

"ShinyHunters & FulcrumSec Ramp Up EdTech Attacks: 137K Accounts Stolen." Cyber Intelligence Brief, June 18, 2026. https://getcyberbrief.com/story/cyber-edtech-breach-shinyhunters-fulcrumsec-timeline

From the Network

How we covered this story

Every story in our cybersecurity coverage is assembled from multiple primary sources, cross-referenced for factual consistency, and scored along three independent dimensions: sentiment, operational impact, and source-cluster confidence. Single-source rumors and unverifiable claims do not pass our editorial gate. When a story shows "Verified by N sources" with N≥2, the development is independently corroborated; when N=1, we mark it explicitly so readers can weigh the signal accordingly.

Impact scoring uses a 1-10 scale weighted toward regulatory, financial, and operational consequence rather than coverage volume. A topic that runs in every outlet but moves no real decisions ranks lower than a niche regulatory filing that reshapes how operators in the cybersecurity space have to behave. Read our full methodology for the scoring rubric, our glossary for term definitions, and our trends index for the longitudinal view across the beat.