ShinyHunters has breached 100+ companies on Oracle PeopleSoft’s unpublished zero day
The TL;DR
ShinyHunters exploited an unpublished Oracle PeopleSoft zero-day (CVE-2026-35273, CVSS 9.8) to breach 100+ organizations. Two-thirds are universities. There is no leaflet yet.
Oracle warned customers Thursday of a major vulnerability in its PeopleSoft software that hackers have exploited to breach more than 100 organizations. The flaw, CVE-2026-35273, carries a CVSS score of 9.8 and can be exploited over the Internet without authentication. Oracle did not release a patch.
The advice came a day after cyber crime group ShinyHunters said it was dealing with a massive hacking campaign. Google’s Mandiant confirmed that the vulnerability disclosed by Oracle is the same as the one exploited by ShinyHunters. Mandiant said he has notified more than 100 international organizations, most of them in the United States.
About two-thirds of the victims are universities and colleges. A ShinyHunters member told TechCrunch that the group stole “hundreds of thousands of student records containing full name, home address, phone, email, date of birth, gender, nationality, enrollment status, GPA, major, and student ID.” The University of Nottingham was named among the breached institutions.
💜 for EU tech
The latest talk from the EU tech scene, a story from our genius founder Boris, and some incredible AI art. It’s free, every week, in your inbox. Register now!
“While several organizations have successfully blocked the operation or remedied the vulnerability, others have experienced the vulnerability, resulting in the stolen data being published on the ShinyHunters Data Leak website,” Mandiant wrote. Oracle did not respond to TechCrunch’s request for comment.
PeopleSoft is used by large corporations and universities to manage payroll, human resources, and student records. The vulnerability affects PeopleTools versions 8.61 and 8.62. ShinyHunters used an array of old and zero-day vulnerabilities to target both cloud and on-premises environments, compromising nearly 300 servers across 100+ organizations.
Attacks follow a pattern. ShinyHunters has spent the past year targeting organizations that share business software with the same vulnerability. Previous campaigns have hit companies using Salesforce, Gainsight, and Instructure’s education platform. The team identifies the flaw, finds every company that uses the software, steals the data, and demands a ransom.
Instructure paid the hackers earlier this year after being breached twice. ShinyHunters also defaced login pages for schools using Instructure’s Canvas portal. PeopleSoft’s campaign is the biggest ever, and it’s still ongoing. Oracle has recommended the mitigation but has not said when a patch will be available.
For any organization using PeopleSoft, the immediate step is to implement Oracle mitigation and restrict Internet-facing access to PeopleSoft servers. The broader lesson is one that the enterprise software industry continues to relearn: when critical day-to-day software hits software used by hundreds of large organizations, an attacker only needs to get it once. AI makes vulnerability detection cheaper. Defenders are not quick to fix those mistakes. And groups like ShinyHunters make an industry of exploiting every window between disclosure and correction.
