Published Wednesday, June 24, 2026 at 07:14 AM PT

BREAKING: ShinyHunters Exploits Oracle PeopleSoft Zero-Day β€” 100+ Organizations Compromised

BLUF: Threat actor group ShinyHunters has successfully breached more than 100 organizations by exploiting an unpatched zero-day vulnerability in Oracle PeopleSoft. All organizations running Oracle PeopleSoft should treat this as an active threat requiring immediate action.

DETAILS

  • ShinyHunters, a prolific financially motivated threat actor group previously linked to high-profile data theft operations, is confirmed as the actor behind this campaign
  • The attack vector is a zero-day vulnerability in Oracle PeopleSoft β€” meaning exploitation occurred before a patch was available; patch availability status at time of publication is not confirmed in source reporting
  • Confirmed victim count stands at 100+ organizations; full scope of affected entities, sectors, and geographic distribution has not been publicly confirmed
  • Nature of data accessed or exfiltrated across victim organizations has not been confirmed in available reporting β€” assume sensitive HR, financial, and identity data is at risk given PeopleSoft’s typical deployment profile
  • ShinyHunters has a documented history of large-scale data exfiltration and sale on criminal marketplaces; downstream exposure risk is elevated

IMPACT

  • Directly affected: Any organization running Oracle PeopleSoft, particularly internet-facing deployments
  • Scope: Enterprise-wide β€” PeopleSoft is widely deployed across higher education, government, healthcare, and large enterprises for HR, ERP, and financial management functions
  • Data at risk: Likely includes employee PII, payroll data, benefits records, and authentication credentials β€” confirm based on your specific PeopleSoft configuration
  • Secondary risk: Credential harvesting from PeopleSoft could enable lateral movement into connected enterprise systems
  1. Immediately audit Oracle PeopleSoft deployments β€” identify all internet-facing instances and restrict external access where operationally feasible
  2. Monitor Oracle’s security advisory portal for emergency patch or mitigation guidance; apply any available patches on an emergency basis
  3. Review PeopleSoft access logs for anomalous authentication attempts, privilege escalation, or unusual data exports β€” prioritize logs from the past 30–90 days
  4. Isolate PeopleSoft environments from broader network segments if compromise is suspected
  5. Alert identity and HR teams β€” credential and PII exposure should be assumed until ruled out; initiate incident response procedures accordingly
  6. Contact Oracle support directly for guidance if you have an active support contract

SOURCES

  • The Register Security β€” ShinyHunters hacked 100+ orgs by exploiting an Oracle PeopleSoft 0-day

⚠️ UNCERTAINTY FLAG: Source reporting at time of alert generation is limited to headline-level detail. Patch availability, full victim list, exploited CVE identifier, and confirmed data types exfiltrated are unconfirmed. Update response posture as Oracle and additional reporting provide clarification.