A major Oracle PeopleSoft data breach is now confirmed, with the ShinyHunters extortion gang claiming responsibility for attacks on more than 100 organizations worldwide. The group says it has compromised 300 separate instances and is actively sending extortion demands to victims. One university has already acknowledged the incident publicly, and stolen data has appeared on ShinyHunters’ leak site.
What Is Oracle PeopleSoft?
Oracle PeopleSoft is enterprise software used by large organizations to manage core business functions. These include human resources, payroll, finance, procurement, supply chain management, and student administration. Universities, hospitals, government agencies, and major corporations all run PeopleSoft to keep sensitive operational data in one place.
That makes it an attractive target. A successful breach does not just expose one department’s records. It can hand attackers access to employee data, financial records, and student information all at once.
How the Attack Works
ShinyHunters says the campaign exploits a “gadget chain” of both known and zero-day vulnerabilities. A gadget chain is a technique where attackers string together multiple existing pieces of code or software flaws, each one enabling the next step of the attack. The result is a path into a system that no single vulnerability would provide on its own.
The group acknowledges that the method does not work on every target. Exploitation success appears to depend on how each PeopleSoft instance is configured, which means organizations running non-standard or hardened setups may have some protection. However, both cloud-hosted and on-premises deployments are in scope.
Exposed infrastructure linked to the campaign reveals more about how the attacks unfold in practice. A cybersecurity researcher identified several publicly accessible directories containing tools and scripts associated with the operation. Among these was a shell script designed to drop a ransom note onto internal PeopleSoft servers after a successful breach. The note is named “README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT.”
How ShinyHunters Moves Through a Network
Once the initial exploit succeeds, the script scans the target server’s host file to identify connected PeopleSoft systems. It then attempts to connect to those systems over SSH using common administrative account names associated with Oracle and PeopleSoft environments, such as “psoft,” “oracle,” and “linuxadm.”
If password-based login fails, the script falls back to SSH key-based authentication. This layered approach means attackers can often persist even when some credentials are locked down.
After gaining access, the script places the ransom note into directories tied to PeopleSoft web and application servers. At that point, the affected organization receives an extortion demand signed by ShinyHunters.
Oracle has not publicly responded to questions about whether a zero-day in PeopleSoft is being actively exploited.
Who Has Been Affected?
ShinyHunters says most victims are in the education sector, and that many of these organizations have been targeted by the group before. The University of Nottingham is named as a confirmed victim. Its data has already been published on the ShinyHunters leak site, and the university has released a public statement acknowledging a cybersecurity incident.
The group also claimed it originally attempted to breach an FBI portal running PeopleSoft. That attempt failed, according to ShinyHunters, and the FBI portal was not compromised.
The Oracle PeopleSoft data breach campaign is not an isolated event. ShinyHunters has been one of the most active extortion operations globally since it emerged around 2020. Past targets include Ticketmaster, Snowflake customers, Salesforce environments, the educational platform Canvas operated by Instructure, and Qantas. The group operates on a straightforward pay-or-leak model: pay the ransom, or see your data published.
Indicators of Compromise
The cybersecurity researcher who uncovered the exposed infrastructure shared seven IP addresses connected to the attacks:
- 142.11.200[.]186
- 142.11.200[.]187
- 142.11.200[.]188
- 142.11.200[.]189
- 142.11.200[.]190
- 108.174.202[.]99
- 176.120.22[.]24
Five of these servers use a TLS certificate with the common name “azurenetfiles[.]net,” a domain previously associated with ShinyHunters activity. The staging directories also contained MeshCentral agents and a credential spray script, giving a clearer picture of the operational toolkit in use.
What Organizations Should Do Now
If your organization runs Oracle PeopleSoft, the immediate priority is log analysis. Check server and network logs for any connections from the IP addresses listed above. Even a single hit warrants a full incident response process.
If you find evidence of these connections, isolate affected servers from internet access as quickly as possible. Do not wait for confirmation of full compromise before acting. Early containment limits how far an attacker can move through your environment.
Beyond the immediate response, organizations should review SSH access controls and audit which accounts have administrative privileges on PeopleSoft systems. Default or shared admin credentials, particularly names like “psoft” or “oracle,” are exactly what this campaign relies on. Rotating those credentials and enforcing stronger authentication should be a priority even for organizations that find no evidence of compromise.
It is also worth monitoring ShinyHunters’ leak site for any data that may relate to your organization. Because many of the targeted institutions have previously been extorted by this group, some may not recognize a new compromise as a separate incident.
Final Thoughts
The Oracle PeopleSoft data breach campaign is still active. More than 100 organizations have reportedly been hit, a confirmed victim’s data is already public, and Oracle has yet to issue guidance. For any organization running PeopleSoft, this is not a situation to monitor from a distance. Check your logs, review your access controls, and treat the published IOCs as actionable intelligence. ShinyHunters has a long track record of following through on its threats, and the education sector in particular remains firmly in its crosshairs.
