What happened
Oracle PeopleSoft servers are being targeted in ongoing data theft attacks by the ShinyHunters extortion gang, which claims to have stolen data from more than 100 organizations.
PeopleSoft is an enterprise business software suite used by large organizations to manage business operations such as human resources, payroll, finance, supply chain management, procurement, and student administration.
The attacks are targeting both cloud and on-premises Oracle PeopleSoft customer instances. Affected customers have received extortion demands signed by the ShinyHunters extortion gang.
ShinyHunters claimed it stole data from 300 instances across more than 100 organizations. The group said it is using a combination of old and zero-day vulnerabilities to conduct the attacks, though it said the attack does not work on all systems and may depend on how an instance is configured.
Most of the impacted organizations are reportedly in the education sector, with many previously extorted by the threat actor. ShinyHunters also claimed it attempted to breach an FBI portal running PeopleSoft but was unsuccessful.
Nottingham University was named as a victim, and its data has already been published on the ShinyHunters data leak site. The university also acknowledged that it suffered a cybersecurity incident.
Oracle has not publicly disclosed information about the attacks. A cybersecurity researcher found exposed online directories containing tooling related to the campaign, including staging materials, remote access agents, and scripts used for defacement and credential spraying.
Several IP addresses were shared as indicators of compromise. Some of the servers also used infrastructure previously linked to ShinyHunters. Exposed files showed that the attackers had prepared a script designed to place ransom notes on internal PeopleSoft servers after compromise.
The script attempted to identify PeopleSoft-related systems and connect to them using common PeopleSoft and Oracle administrative account names. If password authentication failed, it attempted key-based authentication as a fallback. Once connected, the script placed the ransom note in directories associated with PeopleSoft web and application servers.
Who is affected
Organizations running Oracle PeopleSoft cloud or on-premises customer instances may be affected, especially large organizations using PeopleSoft for human resources, payroll, finance, procurement, supply chain management, and student administration.
The education sector appears to be heavily affected, with ShinyHunters claiming many impacted organizations are in education. Nottingham University was named as a victim and acknowledged a cybersecurity incident.
Organizations that find connections from the reported indicators of compromise should treat the activity as potentially related to the attacks and begin incident response to determine whether their PeopleSoft environment was compromised.
Why CISOs should care
PeopleSoft environments often contain highly sensitive business and personal data because they support core enterprise functions such as HR, payroll, finance, procurement, and student administration. Unauthorized access to these systems can expose information that creates extortion, privacy, financial, and operational risk.
The reported use of both old and zero-day vulnerabilities also complicates defensive planning. If exploitation success depends on configuration, organizations cannot rely only on whether a vulnerability has been publicly confirmed or patched. They need to assess their own PeopleSoft exposure, configuration, internet accessibility, authentication paths, and administrative account usage.
The campaign also highlights the danger of common administrative accounts and fallback authentication paths. The attackers’ tooling attempted access using familiar PeopleSoft and Oracle administrative account names, then tried key-based authentication if passwords failed. That makes credential hygiene, key management, and administrative account monitoring central to reducing exposure.
3 practical actions
- Analyze PeopleSoft logs for campaign indicators: Organizations running Oracle PeopleSoft should review logs for suspicious connections, unusual administrative activity, unexpected SSH access, and activity tied to PeopleSoft-related systems.
- Harden PeopleSoft administrative accounts and remote access: The attack tooling attempted to connect using common PeopleSoft and Oracle administrative account names, then tried key-based authentication as a fallback. Security teams should review administrative accounts, disable unnecessary access, rotate credentials, audit key-based access, and restrict remote administration to trusted management paths.
- Temporarily isolate exposed PeopleSoft systems if compromise is suspected: Organizations that find signs of compromise should begin incident response immediately and consider temporarily removing affected PeopleSoft servers from internet access until the environment can be secured and reviewed.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.