Security Intelligence
Loading table of contents...
At a glance: ShinyHunters is conducting large-scale data theft operations against Oracle PeopleSoft by combining multiple vulnerabilities with credential-based techniques. The campaign targets systems that aggregate high-value data and rely on similar deployment patterns. Reducing system exposure, strengthening authentication practices, and increasing monitoring provides immediate risk reduction against this activity.
Threat summary
Oracle PeopleSoft environments are the focus of an active data theft and extortion campaign disclosed on June 10, 2026. The activity is reportedly attributed to the ShinyHunters threat actor, known for large-scale campaigns of this type. ShinyHunters claims compromise of more than 100 organizations and approximately 300 systems across cloud and on‑premises environments.
Victims began receiving extortion messages on June 9, indicating that data exfiltration occurred prior to public reporting. Most affected organizations appear to be in the education sector, along with enterprises that rely on PeopleSoft for core business operations.
PeopleSoft is an enterprise resource planning (ERP) platform used to manage sensitive business and personal data across finance, human resources, supply chain, and academic administration systems. This concentration of data makes it a high-value target, with reported exfiltration including student records, financial aid data, health information, and administrative data. At least one organization has confirmed unauthorized access and a cybersecurity incident, with data subsequently published on a leak site.
The threat actor reportedly used a “gadget chain” combining older vulnerabilities with potential zero-day flaws, leveraging multiple entry points and taking advantage of how systems are exposed and configured.
According to SC Media, post-compromise activity includes credential spraying and reuse of common administrative accounts to expand access within compromised environments. The same reporting notes the use of tooling such as MeshCentral agents, which are remote management tools that allow ongoing access and control of compromised systems, along with scripts used to identify additional systems and deploy ransom notes after access is established.
Separately, Oracle released a Security Alert on June 10, 2026, for CVE-2026-35273, a critical vulnerability in PeopleSoft Enterprise PeopleTools, the application framework that underpins PeopleSoft ERP deployments. The flaw allows a remote, unauthenticated threat actor to execute code over HTTP without user interaction.
It has a Common Vulnerability Scoring System (CVSS) score of 9.8 and requires only network access to a reachable PeopleSoft endpoint, reflecting low complexity for exploitation. Successful exploitation can lead to full system takeover, including access to sensitive enterprise data, modification of application logic, and service disruption across human resources, payroll, and financial systems.
Public reporting does not confirm a direct connection between the ShinyHunters campaign and this vulnerability. The overlap in timing indicates it represents a relevant risk within the same environment and reflects the level of access required to support large-scale data exfiltration.
Analysis
Threat actors in this campaign combine multiple techniques rather than relying on a single exploit path. Internet-exposed systems and weak authentication controls provide initial access, while layered vulnerabilities and credential-based techniques allow expansion across environments.
PeopleSoft environments often integrate with identity systems and financial applications, which increases the impact of unauthorized access and enables access to multiple data sources from a single foothold.
The use of chained vulnerabilities combined with credential-based techniques enables access in environments with varying configurations and security controls. Applying Oracle’s security update for CVE-2026-35273, along with other relevant updates for this product line, reduces exposure in PeopleSoft environments.
Reducing external exposure of PeopleSoft environments limits available entry points for both vulnerability exploitation and credential-based access. Restricting administrative interfaces, validating authentication configurations, and removing shared administrative credentials reduces the ability to expand access after initial compromise. Monitoring authentication activity and system logs provides visibility into credential spraying attempts, unusual login patterns, and unexpected data transfers. Isolation of affected systems and review of account activity supports containment when unauthorized access is detected.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
