Data Leaks in Education & Healthcare: ShinyHunters Targets Oracle PeopleSoft

Summary

The notorious cybercrime group ShinyHunters has launched a widespread extortion and data theft campaign targeting Oracle PeopleSoft environments. Exploiting a critical zero-day vulnerability (CVE-2026-35273), the group has compromised over 300 PeopleSoft instances across more than 100 organizations globally. The education and healthcare sectors have been disproportionately affected, with attackers exfiltrating sensitive payroll, HR, financial aid, and student records, and publishing them on extortion leak sites.

What happened

Zero-Day Exploitation: Attackers are leveraging a critical zero-day vulnerability in Oracle PeopleSoft’s PeopleTools component, designated as CVE-2026-35273. The flaw allows unauthenticated remote attackers to execute code.
Large-Scale Breach: ShinyHunters claims to have compromised more than 300 PeopleSoft instances at over 100 target organizations.
Sector Focus: Approximately two-thirds of the victim organizations are higher education institutions (universities), alongside various healthcare providers.
Data Theft: Automated scripts were deployed to scan for vulnerable servers, allowing the theft of employee payroll, HR records, student grades, financial aid documentation, and medical billing details.
University of Nottingham Exposed: The University of Nottingham is one of the confirmed victims, with hundreds of thousands of student records leaked online.

Why it matters

The incident underscores the persistent vulnerability of critical administrative backend infrastructure within the education and healthcare sectors. Oracle PeopleSoft is the administrative backbone for payroll, human resources, and student affairs at major universities and healthcare groups. Since these systems must remain accessible, a remote code execution zero-day represents a worst-case security scenario, facilitating identity theft, corporate espionage, and highly targeted phishing campaigns.

Evidence

Security Vendor Analysis: In-depth threat intelligence reports published by security firms including Black Kite and Pathlock.
Vulnerability Tracking: Oracle’s emergency advisory and CVE-2026-35273 cataloging.
Data Leaks: Actual data samples uploaded by ShinyHunters to their dark web leak portal.
Public Confirmations: Official statements from affected institutions acknowledging the compromise.

Analysis

The ShinyHunters campaign highlights a classic threat vector: scanning for widely used enterprise software packages and exploiting a zero-day vulnerability to execute rapid, automated data theft. The educational sector is heavily targeted because university networks are historically open, complex, and operate under lower cybersecurity budgets compared to corporate financial institutions. This attack also demonstrates that legacy software suites like PeopleTools require isolation from the public internet to prevent total compromise.

Practical Takeaways

Organizations utilizing Oracle PeopleSoft should immediately execute the following defensive measures:

Emergency Patching: Apply the out-of-band security updates issued by Oracle to remediate CVE-2026-35273.
Network Log Audit: Search network and firewall logs for connections originating from known attacker-affiliated IP addresses:
- 142.11.200.186 to 142.11.200.190
- 108.174.202.99
- 176.120.22.24
IOC Scans: Scan servers for the presence of the ransom text file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT.
Access Control: Restrict and audit administrative account access (particularly accounts like psoft, oracle, and linuxadm). Ensure PeopleSoft instances are placed behind VPNs or secure access gateways.

Open Questions

How many of the 300 compromised PeopleSoft instances have been successfully isolated and remediated?
Will Oracle introduce further structural hardening to PeopleTools to mitigate future remote code execution vectors?
What legal, regulatory, and compliance fines will impacted educational and healthcare entities face under GDPR and HIPAA?