Oracle PeopleSoft customers are being hit in ongoing break-ins and extortion attacks that ShinyHunters says have affected more than 100 organizations and 300 PeopleSoft instances. The campaign reportedly targets both cloud and on-premises PeopleSoft deployments, with the attackers claiming to use a chain of older bugs and at least one zero-day, though no CVE has been confirmed by Oracle. Reported evidence includes extortion notes, exposed attacker tooling, and IP-based indicators of compromise tied to infrastructure previously linked to ShinyHunters.
Why it matters: PeopleSoft is widely used for payroll, HR, finance, procurement, and student systems, so a compromise can expose highly sensitive employee, customer, or student data. Organizations running PeopleSoft should urgently review logs for the listed IPs, investigate possible unauthorized SSH access, and prepare incident response while waiting for Oracle guidance.
Lawrence Abrams
2026.06.10
100% relevant
This article appears to be the first clear report establishing a distinct ShinyHunters campaign specifically targeting Oracle PeopleSoft environments across many organizations, with claimed victim count, tactics, and IOCs.
← Back to all stories