🛡️ BREAKING: ShinyHunters Exploits Oracle PeopleSoft Zero-Day — 100+ Organizations Compromised
Published Wednesday, June 24, 2026 at 07:14 AM PT BLUF: Threat actor group ShinyHunters has successfully breached more than 100 organizations by exploiting an unpatched zero-day vulnerability in Oracle PeopleSoft. All organizations running Oracle PeopleSoft should treat this as an active threat requiring immediate action. DETAILS ShinyHunters, a prolific financially motivated threat actor group previously linked to high-profile data theft operations, is confirmed as the actor behind this campaign The attack vector is a zero-day vulnerability in Oracle PeopleSoft — meaning exploitation occurred before a patch was available; patch availability status at time of publication is not confirmed in source reporting Confirmed victim count stands at 100+ organizations; full scope of affected entities, sectors, and geographic distribution has not been publicly confirmed Nature of data accessed or exfiltrated across victim organizations has not been confirmed in available reporting — assume sensitive HR, financial, and identity data is at risk given PeopleSoft’s typical deployment profile ShinyHunters has a documented history of large-scale data exfiltration and sale on criminal marketplaces; downstream exposure risk is elevated IMPACT Directly affected: Any organization running Oracle PeopleSoft, particularly internet-facing deployments Scope: Enterprise-wide — PeopleSoft is widely deployed across higher education, government, healthcare, and large enterprises for HR, ERP, and financial management functions Data at risk: Likely includes employee PII, payroll data, benefits records, and authentication credentials — confirm based on your specific PeopleSoft configuration Secondary risk: Credential harvesting from PeopleSoft could enable lateral movement into connected enterprise systems RECOMMENDED ACTIONS Immediately audit Oracle PeopleSoft deployments — identify all internet-facing instances and restrict external access where operationally feasible Monitor Oracle’s security advisory portal for emergency patch or mitigation guidance; apply any available patches on an emergency basis Review PeopleSoft access logs for anomalous authentication attempts, privilege escalation, or unusual data exports — prioritize logs from the past 30–90 days Isolate PeopleSoft environments from broader network segments if compromise is suspected Alert identity and HR teams — credential and PII exposure should be assumed until ruled out; initiate incident response procedures accordingly Contact Oracle support directly for guidance if you have an active support contract SOURCES The Register Security — ShinyHunters hacked 100+ orgs by exploiting an Oracle PeopleSoft 0-day ⚠️ UNCERTAINTY FLAG: Source reporting at time of alert generation is limited to headline-level detail. Patch availability, full victim list, exploited CVE identifier, and confirmed data types exfiltrated are unconfirmed. Update response posture as Oracle and additional reporting provide clarification.