ShinyHunters compromised over 100 companies by exploiting a zero-day vulnerability in Oracle PeopleSoft that had not been patched.
ShinyHunters has taken advantage of an unpatched zero-day vulnerability in Oracle PeopleSoft (CVE-2026-35273, CVSS 9.8) to compromise over 100 organizations, two-thirds of which are universities. Oracle has yet to release a patch for the flaw.
On Thursday, Oracle alerted its customers about a critical vulnerability in its PeopleSoft software that has already been exploited by hackers. The vulnerability has a CVSS score of 9.8 and can be accessed via the internet without requiring authentication.
This advisory came just a day after the cybercrime group ShinyHunters claimed responsibility for this widespread hacking event. Mandiant, a Google-backed security firm, confirmed that the vulnerability disclosed by Oracle is indeed the same one being exploited by ShinyHunters. Mandiant has informed over 100 organizations worldwide, predominantly in the United States.
Approximately 66% of the affected institutions are universities and colleges. A member of ShinyHunters revealed to TechCrunch that the group managed to steal "hundreds of thousands" of student records, which included full names, home addresses, phone numbers, emails, dates of birth, gender, ethnicity, enrollment status, GPA, major, and student IDs. The University of Nottingham was specifically mentioned as one of the compromised institutions.
Mandiant stated, "While several organizations successfully blocked the activity or addressed the vulnerabilities, others suffered compromises, leading to stolen data being published on the ShinyHunters Data Leak Website." Oracle did not respond to a request for comment from TechCrunch.
PeopleSoft is utilized by major corporations and educational institutions to manage payroll, human resources, and student records. This vulnerability affects PeopleTools versions 8.61 and 8.62. ShinyHunters exploited a combination of old and zero-day vulnerabilities, targeting both cloud and on-premises systems, affecting around 300 servers among the compromised organizations.
The attack follows a recognizable pattern. Over the past year, ShinyHunters has been targeting organizations that utilize the same susceptible enterprise software. Past campaigns have targeted businesses using Salesforce, Gainsight, and the educational platform Instructure. The group identifies the flaw, locates every company using the software, steals data, and then demands ransom.
Earlier this year, Instructure paid the hackers after being compromised twice. ShinyHunters also defaced the login pages of educational institutions using Instructure’s Canvas portal. The PeopleSoft campaign is the largest to date and is still ongoing. Oracle suggested mitigations but has not announced when a patch will be available.
For organizations using PeopleSoft, the immediate recommendation is to implement Oracle's mitigations and limit internet access to PeopleSoft servers. A broader lesson for the enterprise software industry is that when a critical zero-day vulnerability is discovered in software used by numerous large organizations, an attacker only needs to learn of it once. AI is reducing the cost of vulnerability discovery, yet those patching these vulnerabilities are not keeping pace. Meanwhile, groups like ShinyHunters are systematically exploiting every gap between disclosure and resolution.
Other articles
Jabra Evolve3 75 review: After wearing this work headset for several weeks, I found it to be quite impressive.
The Jabra Evolve3 75 is a high-end product, and despite its premium price, it excels as an excellent microphone, features a stylish design, boasts impressive battery life, supports wireless charging, and delivers sufficient quality for music listening.
Google DeepMind's TacticAI is capable of forecasting football plays 8 seconds in advance. Palmeiras is the first to implement this technology.
Google's TacticAI forecasts player movements 8 seconds in advance by analyzing broadcast video. Liverpool specialists favored its strategies 90% of the time compared to the traditional methods.
OpenAI collaborates with Visa to facilitate secure transactions via AI agents.
Thanks to a new partnership between OpenAI and Visa, ChatGPT may soon be able to shop and make payments on your behalf, introducing secure agentic payments to AI interactions.
How businesses train millions of employees while continuously shipping their products.
ServiceNow restructured its corporate learning initiative using AI-generated videos, reducing production time by 90%. The Senior Vice President of Synthesia discusses the ongoing skills gap and how AI-driven learning and development addresses it.
Anthropic is investing $150 million to place 1,000 AI fellows in nonprofit organizations, with no degree necessary.
Anthropic's Claude Corps is set to place 1,000 fellows at nonprofit organizations for a year, offering each a salary of $85,000. Applications are currently being accepted, and a college degree is not necessary. The inaugural cohort will begin in October.
ShinyHunters compromised over 100 companies by exploiting a zero-day vulnerability in Oracle PeopleSoft that had not been patched.
ShinyHunters took advantage of CVE-2026-35273 (CVSS 9.8) to compromise over 100 organizations utilizing Oracle PeopleSoft. Among them, two-thirds are educational institutions. A patch is not available at this time.