Oracle PeopleSoft Flaw Exposed Over 100 Organizations to ShinyHunters

More than 100 organizations, primarily in higher education, face a critical security breach after the hacking collective ShinyHunters exploited an unpatched zero-day vulnerability in Oracle’s PeopleSoft software. The flaw allows attackers to bypass authentication entirely, granting them unauthorized access to sensitive payroll and human resources systems over the internet.

Jun 11, 23:40· Business Faces

Oracle PeopleSoft Flaw Exposed Over 100 Organizations to ShinyHunters

Oracle issued a security advisory on Thursday confirming the existence of the vulnerability, though a patch remains unavailable. The company currently advises users to implement specific mitigations to prevent further exploitation. Mandiant, which is actively tracking the campaign, has notified over 100 global entities—two-thirds of which are universities—to secure their systems against the ongoing threat.

The breach has already resulted in significant data exposure. ShinyHunters has begun publishing stolen records on its leak site, claiming to possess hundreds of thousands of student files, including GPAs, home addresses, and government-issued identification numbers. The group’s modus operandi involves identifying common software vulnerabilities to extort organizations, a tactic they recently employed against firms using Salesforce, Gainsight, and the Canvas portal provider Instructure. While some organizations successfully remediated their systems, others failed to block the unauthorized access, leading to the public release of their private data.

Oracle PeopleSoft Flaw Exposed Over 100 Organizations to ShinyHunters

Comments (0)