ShinyHunters Targets Oracle PeopleSoft in Major University Data Theft Campaign

The group employed a "gadget chain"—a combination of older, known vulnerabilities chained together with zero-day exploits in PeopleSoft . According to their communication with BleepingComputer, the attack does not work uniformly; success depends on how each target configured its PeopleSoft deployment .

This pay-or-leak model means that when victims refuse to pay, stolen data gets published on ShinyHunters' leak site .

The Education Sector Was the Primary Target

Universities bore the brunt of the assault. ShinyHunters concentrated heavily on higher-education institutions, continuing a pattern established in their earlier 2026 campaigns against Canvas/Instructure and Salesforce Experience Cloud .

The University of Nottingham confirmed it was breached. The attackers infiltrated the university's Campus Solutions student records system—powered by Oracle PeopleSoft—at the end of May 2026 . A sample of exfiltrated data posted by ShinyHunters included student, applicant, financial aid, immigration, health, and administrative records . The gang claimed to have stolen more than 40 GB of sensitive information, including billing and payment records, credit card details, student finance data, and campus portal exports encompassing Nottingham's UK, Malaysia, and China campuses .

A Shifting Tradecraft: From Vishing to Zero-Days

The PeopleSoft campaign marks a significant tactical pivot for ShinyHunters. For most of 2025 and early 2026, the group relied almost exclusively on identity and access abuse—vishing, social engineering, Okta SSO takeovers, and OAuth token misuse—to breach organizations . Mandiant and Google Threat Intelligence Group reporting documented how ShinyHunters impersonated IT helpdesk staff, directed employees to company-branded phishing sites, and stole single sign-on credentials and MFA codes .

The Crosswalk threat intelligence briefing bluntly stated that ShinyHunters "almost never exploit software vulnerabilities" and instead focus on helpdesk verification, employee MFA, and third-party SaaS OAuth tokens . The PeopleSoft attacks break from that mold entirely, using genuine software exploits—including zero-days—something not previously seen in their operations .

Oracle and UK Authorities: Limited Public Response So Far

As of June 10, 2026, Oracle had not issued a public statement or security advisory specifically addressing this PeopleSoft campaign. No patches tied to this activity have been announced or confirmed .

UK authorities—including the Information Commissioner's Office (ICO) and law enforcement—had not made any specific public comments about the incident. The University of Nottingham managed its response internally, informing students directly and temporarily taking systems offline for investigation .

Indicators of Compromise: What's Available

The security community has not yet widely published PeopleSoft-specific indicators of compromise (IoCs) such as IP addresses or file hashes tied to this campaign. Huntress published a broader Threat Actor Profile with network indicators associated with ShinyHunters infrastructure, but those relate to SaaS-focused campaigns, not PeopleSoft exploitation specifically .

The Crosswalk briefing notes that ShinyHunters' typical tradecraft—identity abuse—rarely produces software vulnerability-specific IoCs, making defensive hunting for this particular campaign more difficult .

ShinyHunters' 2026 Escalation: A Pattern of Mass Extortion

The PeopleSoft campaign fits into a brutal year-long escalation:

• Early 2026: The AuraInspector campaign exploited misconfigured Salesforce Experience Cloud instances, with ShinyHunters claiming close to 400 affected organizations .
• February 2026: The Wynn Resorts breach exposed more than 800,000 employee records, with initial access also tied to an Oracle PeopleSoft vulnerability .
• April–May 2026: The Canvas/Instructure LMS breach—the largest education-sector data theft ever—saw ShinyHunters claim 275 million records across approximately 8,000–9,000 institutions .
• May–June 2026: The Charter Communications breach exposed 4.9 million customer records .
• June 2026: The Oracle PeopleSoft campaign added another 100+ organizations and 300+ instances .

Verizon's 2026 Data Breach Investigations Report confirmed a structural shift: vulnerability exploitation overtook stolen credentials as the leading breach vector for the first time in 19 years . ShinyHunters' pivot into actual exploit chains—rather than identity abuse—aligns with that broader trend and signals that mass-parallel campaigns against widely deployed enterprise platforms will likely continue.

For universities, the lesson is stark. The same consolidated-software supply chain that made platforms like Canvas and PeopleSoft essential for remote learning and administration has also made them catastrophic single points of failure when attackers find an unpatched edge .