ShinyHunters Oracle PeopleSoft Breach: What Happened and Who Is Affected

In early June 2026, the cybercrime group ShinyHunters claimed responsibility for a wave of data theft attacks targeting Oracle PeopleSoft servers, the widely used enterprise resource planning (ERP) and human capital management software suite. The group told both TechCrunch and BleepingComputer that it had compromised approximately 300 PeopleSoft instances across more than 100 organizations, using a combination of old and newly discovered vulnerabilities .

The scale of the alleged breach

The majority of known victims are universities and higher-education institutions, with Nottingham University confirmed as one of the targets . Beyond education, the campaign also hit entities in software and technology, financial services, healthcare, energy, logistics, and real estate . This PeopleSoft operation is just the latest in an 18-month rampage by ShinyHunters and the broader Scattered Lapsus$ Hunters collective, a campaign described by researchers as the most sustained data theft and extortion operation in recent cybercrime history .

Other confirmed victims in the group’s broader ecosystem include Instructure, the maker of the Canvas learning management system, Charter Communications, Telus Digital, Anodot, and brands such as Zara, 7-Eleven, Carnival, ADT, Udemy, and Rockstar Games .

What data was allegedly stolen

The stolen data reportedly includes personally identifiable information such as names, email addresses, phone numbers, and physical addresses, as well as HR and financial records from PeopleSoft systems . In the separate Instructure/Canvas breach, the group claimed to have taken data tied to hundreds of millions of students and educators . Authentication tokens were also stolen in related attacks, which were then used to chain further intrusions into Salesforce and other cloud environments .

The FBI objective and the swatting denial

A ShinyHunters member told TechCrunch that the group's original goal was to breach an FBI PeopleSoft server. The intent was to use that access to release a statement publicly disavowing any connection to a series of swatting incidents that the FBI had flagged in a recent alert . Law enforcement had partially attributed those swatting attacks to actors linked to ShinyHunters, and the group wanted to deny involvement. That specific FBI breach attempt was reportedly unsuccessful .

Oracle's response and the critical patch

As of June 10–11, 2026, Oracle had not issued any public statement addressing ShinyHunters' breach claims . However, on June 10, Oracle released a Security Alert Advisory for CVE-2026-35273, a critical vulnerability in Oracle PeopleSoft PeopleTools with a CVSS score of 9.8 . The flaw is remotely exploitable without authentication and can lead to remote code execution . Security researchers and BleepingComputer identified this vulnerability as the likely entry vector used in the ShinyHunters campaign .

Oracle strongly urged customers to apply the patch immediately, describing it as a high-priority risk reduction measure . The company did not confirm whether the vulnerability had been actively exploited in the wild or comment on the scope of any potential customer impact.