ShinyHunters Steals Data From 100+ Organizations via PeopleSoft
Key Takeaways
- ShinyHunters claims to have stolen data from 300 PeopleSoft instances across 100+ organizations
- The attack uses a 'gadget chain' combining old vulnerabilities with zero-days
- Education sector organizations are the primary targets, with Nottingham University confirmed as a victim
Oracle PeopleSoft servers are under active attack. The ShinyHunters extortion gang claims to have stolen data from more than 100 organizations by exploiting the enterprise resource planning software used to manage HR, payroll, and financial operations.
The group told BleepingComputer it has compromised 300 PeopleSoft instances. Both cloud-hosted and on-premises deployments are affected. Victims are now receiving extortion demands signed by ShinyHunters, threatening to publish stolen data unless payment is made.
How the Attack Works
ShinyHunters says it is using a "gadget chain" of vulnerabilities. This means stringing together multiple security flaws, some old and some zero-day, to gain access. The group admits the technique does not work on every system. Success appears to depend on how each PeopleSoft instance is configured.
Oracle has not responded to BleepingComputer's request for comment about whether a zero-day vulnerability is being exploited. The company has not publicly disclosed any information about these attacks.
Cybersecurity researcher Michael R found several exposed online directories containing attack tooling. These directories revealed staging materials including MeshCentral agents, a defacement script, and a credential spray script.
Who Is Being Targeted
Most victims are in the education sector. Many of these organizations were previously extorted by ShinyHunters. The group specifically named Nottingham University as a confirmed victim. The university released a statement acknowledging it suffered a cybersecurity incident.
In an unusual admission, ShinyHunters revealed its original goal was to breach an FBI portal running PeopleSoft. The group wanted to "publish a statement and set the record straight on some misinformation that has been spreading." That attack failed. They could not gain access to the FBI instance.
Indicators of Compromise
Security teams can check for connections to the following IP addresses linked to the attack campaign:
- 142.11.200.186
- 142.11.200.187
- 142.11.200.188
- 142.11.200.189
- 142.11.200.190
- 108.174.202.99
- 176.120.22.24
Some of these IP addresses used a TLS certificate with the common name "azurenetfiles.net". This domain has been previously linked to ShinyHunters operations.
The Legacy ERP Problem
PeopleSoft is a legacy system. Oracle acquired it in 2005, and many organizations continue to run older versions for mission-critical operations. This creates a security challenge. Administrators on forums like r/sysadmin and r/cybersecurity are expressing frustration with Oracle's patch cycles.
The discussion points to a shift in defensive thinking. Perimeter security is not enough when attackers use gadget chains that exploit internal configuration weaknesses. Organizations running PeopleSoft need to audit their configuration settings, not just apply standard security updates.
This is not the first time ShinyHunters has targeted PeopleSoft environments. In a previous 2025 attack against a major employer, the group stole over 800,000 employee records, including Social Security numbers.
Logicity's Take
What to Do Now
If your organization runs PeopleSoft, take these steps immediately:
- Check network logs for connections to the IOC IP addresses listed above
- Audit your PeopleSoft instance configuration, especially web server and authentication settings
- Review MeshCentral and similar remote management tools for unauthorized installations
- Segment PeopleSoft systems from the broader network to limit lateral movement
- Monitor for extortion communications and report them to law enforcement
Frequently Asked Questions
What is Oracle PeopleSoft?
PeopleSoft is an enterprise software suite used by large organizations to manage human resources, payroll, finance, supply chain, and student administration. Oracle acquired it in 2005.
Who is ShinyHunters?
ShinyHunters is an extortion gang that steals data from organizations and threatens to publish it unless paid. The group has been active for several years and has targeted companies across multiple sectors.
What is a gadget chain vulnerability?
A gadget chain combines multiple vulnerabilities in sequence to achieve unauthorized access. Attackers link smaller flaws together, using the output of one exploit as input for the next.
Is my organization at risk?
If you run Oracle PeopleSoft, either on-premises or in the cloud, you may be vulnerable. The attack success depends on instance configuration, so auditing your setup is critical.
Has Oracle released a patch for this vulnerability?
Oracle has not publicly disclosed information about these attacks or confirmed whether a zero-day is being exploited. No specific patch has been announced as of this report.
Need Help Implementing This?
Source: BleepingComputer
Manaal Khan
Tech & Innovation Writer
Related Articles
Browse all
Kraken Crypto Exchange Extortion: Hackers Threaten to Leak Internal Videos After Insider Breach
Cryptocurrency exchange Kraken is being extorted by hackers who obtained videos of internal systems through bribed support employees. The company says no funds were compromised and refuses to pay, with only about 2,000 accounts affected. Kraken is working with federal law enforcement to prosecute everyone involved.
Windows 11 KB5083769 and KB5082052: April 2026 Patch Tuesday Brings Smart App Control Changes and Security Fixes
Microsoft's April 2026 Patch Tuesday updates are now live for Windows 11, bringing critical security patches alongside a welcome change to Smart App Control. You can finally toggle SAC on or off without wiping your entire system. The updates cover versions 23H2, 24H2, and 25H2.
Zero Trust Identity Security: 5 Ways This Framework Actually Stops Credential Theft
Stolen credentials caused 22% of breaches in 2025, making them the top attack vector. Zero Trust promises to fix this, but only when it's built around identity as the core principle. Here's how organizations can implement it properly.
Open Source PR Backlogs: Why Your GitHub Contribution Sits Unreviewed for a Year
A developer's Jellyfin pull request has been waiting over a year for merge despite two approvals, exposing a systemic crisis in open source maintenance. Queuing theory explains why backlogs grow exponentially, and 60% of maintainers have quit or considered quitting due to burnout.
Also Read
6 Excel Myths That Slow Down Your Spreadsheets
Common Excel advice often does more harm than good. Merging cells, hiding rows for security, and other widely shared tips can break your workbooks and create unnecessary manual work. Here are six myths worth abandoning.
5 Android Launchers That Defined the Customization Era
Custom launchers were once essential for Android users escaping carrier bloatware and sluggish OEM skins. From ADW on Gingerbread to Nova Launcher's modern dominance, these apps let users rebuild their phones from scratch. Here's a look back at the launchers that made Android what it is.
OpenAI IPO Slips to 2027 as Altman Cites Strategic Uncertainty
Sam Altman told OpenAI employees to expect a public offering 'within the next year,' pushing the timeline into 2027. The delay comes as rival Anthropic prepares to go public and OpenAI continues burning through cash at a projected $14 billion annually.