SYS::ONLINE
Wasteland.
Briefs1204
Issues19
SinceFeb 2026
LIVE
▣ Breach NISSAN-ORACLE-PEOP 2026-07-14

Nissan Americas: ShinyHunters PeopleSoft Zero-Day Breach

"Nissan Americas has confirmed that attackers exploited a zero-day flaw in Oracle PeopleSoft to steal personnel records belonging to current and former employees, including banking details, Social Security numbers and…"

Nissan Americas has confirmed that attackers exploited a zero-day flaw in Oracle PeopleSoft to steal personnel records belonging to current and former employees, including banking details, Social Security numbers and tax data. The company disclosed the breach on 29 June 2026, attributing the discovery to Oracle. Incident responders at Mandiant tied the intrusion to the ShinyHunters extortion group, which claims it compromised more than 300 PeopleSoft instances across roughly 100 organizations, making Nissan one victim in one of the year's broadest corporate data thefts.

What Happened

The intrusion traces to CVE-2026-35273, a critical server-side request forgery (SSRF) vulnerability in Oracle PeopleSoft's PeopleTools framework. Mandiant, the Google-owned security firm, dated the activity against Nissan to a window between 27 May and 9 June 2026, before the flaw was publicly known or patched.

Because the defect was a true zero-day, defenders had no fix to apply while attackers were actively working. Nissan said it remained "still in the early stages of the investigation," and quoted Oracle's own notification: "Oracle has informed us that there was a cyber event and that the personnel records of hundreds of companies may have been obtained by so-called threat actors." The carmaker has confirmed it secured the affected systems, engaged outside cybersecurity specialists and notified regulators.

What Was Taken

Nissan has not yet put a number on the employees affected, but the exposed data set is deeply sensitive and spans staff across the United States, Canada, Mexico and Brazil. According to the disclosure, the compromised information may include:

This is the exact category of information that fuels identity theft, payroll diversion and tax fraud. Nissan has begun offering credit and dark-web monitoring to those at risk, an implicit acknowledgment of the long-tail fraud exposure such records create.

Why It Matters

The Nissan breach is not an isolated event but a single node in an industrial-scale campaign. ShinyHunters has spent 2026 running high-volume extortion, pairing stolen data with public pressure on victims to pay. Its claim of more than 300 compromised PeopleSoft instances, corroborated by Mandiant's outreach to over 100 organizations, points to a campaign engineered to monetize one vulnerability across an entire customer base rather than to target Nissan specifically.

The pattern echoes earlier mass thefts tied to shared enterprise platforms, where a single defect cascades into dozens of separate breach notices. It underscores how a widely deployed human-resources platform becomes a single point of failure for the most sensitive records an employer holds. For defenders, the lesson is uncomfortable: the accountability may shift toward the software vendor, but the notification burden, regulatory exposure and employee harm land squarely on every downstream customer.

The Attack Technique

The entry vector was CVE-2026-35273, an SSRF weakness in the PeopleTools framework that underpins PeopleSoft applications. SSRF flaws let an attacker coerce a vulnerable server into making requests on their behalf, often to reach internal services, metadata endpoints or authentication material that should never be exposed externally. In an internet-facing HR platform, that capability can be chained into unauthenticated access to backend data stores holding payroll and identity records.

Because the exploitation occurred during a zero-day window, there was no patch to apply and likely no vendor signature to detect the activity in progress. ShinyHunters appears to have scanned and hit exposed PeopleSoft instances at scale, treating the shared defect as a master key across the customer base rather than mounting bespoke operations against each target.

What Organizations Should Do

Sources: Nissan Confirms Oracle PeopleSoft Employee Breach