100+ Organizations: ShinyHunters PeopleSoft Zero-Day Mass Breach

Over a roughly two-week window in June 2026, the data-theft crew known as ShinyHunters weaponized a critical unauthenticated remote-code-execution flaw in Oracle's PeopleSoft HR and finance platform to breach more than 100 organizations, with universities hit hardest. Tracked as CVE-2026-35273 (CVSS 9.8), the zero-day was the subject of an out-of-band Oracle security alert on June 10, 2026. Incident analysis from Arctic Wolf indicates exploitation began as early as May 27, 2026, and by June 9 the group claimed compromise of more than 300 vulnerable PeopleSoft instances. Mandiant independently identified over 100 exposed endpoints tied to the campaign.

What Happened

ShinyHunters ran an industrialized, scan-and-exploit operation rather than a targeted intrusion. According to Arctic Wolf, the group began quietly probing the public internet for vulnerable PeopleSoft deployments on or before May 27, 2026, weeks ahead of Oracle's June 10 emergency advisory. Using automated attack scripts documented by ERP-security vendor Pathlock, the crew was able to scan for and compromise internet-exposed PeopleSoft environments at scale.

By June 9, ShinyHunters claimed a tally of more than 300 vulnerable instances across 100-plus organizations. Mandiant's threat-intelligence team corroborated more than 100 exposed endpoints linked to the activity, with higher-education institutions disproportionately represented. On compromised servers, responders found a ransom note bluntly named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT, the calling card of a group that has abandoned file-encrypting malware entirely in favor of straight data theft and extortion.

It is worth separating confirmed from claimed. The 100-plus victim figure originates with ShinyHunters itself; independent corroboration from Mandiant and Arctic Wolf confirms a campaign of unusual breadth, but the precise victim count remains a threat-actor claim. ShinyHunters has publicly named high-profile extortion targets including Eastman Kodak, Amazon's One Medical, and the Council of Europe as part of parallel "pay or leak" pressure.

What Was Taken

PeopleSoft is the system of record for some of the most sensitive data an organization holds: employee and student personally identifiable information, payroll and tax records, bank account and direct-deposit details, Social Security numbers, benefits and health-plan enrollment data, and core financial and procurement records. A successful RCE compromise of a PeopleSoft instance grants access to the underlying application and frequently the connected database, meaning attackers can exfiltrate entire HR and finance datasets.

Exact volumes per victim have not been confirmed publicly, and ShinyHunters has historically inflated figures to maximize extortion leverage. What is clear is the nature of the exposure: with 300-plus instances claimed compromised and universities over-represented, the stolen material almost certainly spans staff and student records at population scale. The group's named extortion targets indicate it is holding data it considers valuable enough to threaten public leaks against major brands and an intergovernmental body.

Why It Matters

This campaign confirms that internet-exposed enterprise resource planning software has become a primary, industrialized target for organized cybercrime. ERP platforms like PeopleSoft were long treated as back-office systems shielded by network perimeters, but mass exposure plus a single unauthenticated flaw collapses that assumption instantly.

The pattern echoes the Cl0p exploitation of Oracle E-Business Suite just eight months earlier, signaling a deliberate pivot by top-tier extortion crews toward enterprise applications that concentrate an organization's most sensitive HR and financial data in one place. The economics favor the attacker: one zero-day plus automated scanning yields hundreds of victims with minimal per-target effort. ShinyHunters' move away from encryption toward pure data theft and extortion also means traditional ransomware defenses and backups offer little protection. For defenders, the takeaway is that ERP attack surface must be treated with the same urgency as edge VPNs and email gateways.

The Attack Technique

CVE-2026-35273 is a critical, unauthenticated remote-code-execution vulnerability in Oracle PeopleSoft, rated CVSS 9.8. As reported, a single unauthenticated HTTP request to an exposed PeopleSoft endpoint is sufficient to achieve code execution, requiring no valid credentials and no user interaction. That combination is what made mass automation viable.

The operational flow was: continuous internet-wide scanning to enumerate exposed PeopleSoft deployments, automated exploitation of CVE-2026-35273 to gain code execution, data exfiltration from the application and connected databases, and finally placement of the README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT ransom note on production servers as the extortion hook. Oracle published an out-of-band advisory on June 10, 2026, but exploitation predated the fix, making this a true zero-day from at least May 27 onward.

What Organizations Should Do

1. Patch immediately. Apply Oracle's out-of-band fix for CVE-2026-35273 across all PeopleSoft instances as the top priority, treating it as actively exploited in the wild.
2. Remove PeopleSoft from direct internet exposure. Place instances behind a VPN, reverse proxy, or zero-trust gateway, and restrict access to known IP ranges wherever business processes allow.
3. Hunt for compromise now. Search for the README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT file, unexpected processes spawned by the PeopleSoft application user, anomalous outbound data transfers, and new or modified web-accessible files dated on or after May 27, 2026.
4. Review logs for pre-patch exploitation. Examine HTTP access logs back to late May 2026 for suspicious unauthenticated requests to PeopleSoft endpoints, since the patch does not remediate an existing breach.
5. Rotate credentials and secrets. Reset application, database, and service-account credentials and any keys reachable from compromised hosts, and check for attacker-created accounts or persistence.
6. Prepare for extortion and disclosure. Assume data exfiltration where compromise is confirmed, engage incident response and legal counsel, and ready breach-notification processes for affected employees, students, and regulators.

Sources: ShinyHunters Hit 100+ Orgs via PeopleSoft Zero-Day [2026]