Oracle has warned its corporate customers about a critical security flaw in PeopleSoft, its software used by large organizations to manage payroll and human resources. The timing is awkward, to say the least. The advisory came a day after the hacking group ShinyHunters claimed it had already used that exact flaw to breach more than 100 companies.
According to TechCrunch, the vulnerability can be exploited over the internet without any authentication, meaning attackers do not need a password or login to get in. Oracle had not released a patch at the time of writing, and instead recommended customers apply its listed mitigations as quickly as possible.
Mandiant, the Google-owned cybersecurity firm, confirmed in a blog post that the flaw Oracle flagged is the same one ShinyHunters has been actively using. The firm said it has notified more than 100 organizations globally, most of them in the United States, urging them to restrict access to potentially exposed systems.
The flaw is classified as a zero-day, which means Oracle had no time to fix it before hackers found and exploited it. That is what makes it especially dangerous. A member of ShinyHunters told TechCrunch this week that the gang broke into companies by targeting unpatched PeopleSoft servers, and some of those victims are universities and colleges.
Mandiant noted that roughly two-thirds of the affected organizations are in higher education, which lines up with what ShinyHunters had already claimed publicly. The hacker shared a message reportedly sent to one victim school, where the group claimed to have stolen:
- Full names, home addresses, phone numbers, and email addresses
- Dates of birth, gender, and ethnicity
- Enrollment status, GPA, major, and student ID numbers
- Records spanning all campuses, totaling hundreds of thousands of students
Not every targeted organization was successfully breached. Mandiant said several managed to block the activity or fix the vulnerability in time. Others were not so lucky, and stolen data from those victims has already appeared on ShinyHunters’ data leak site.
This is not a one-off incident. ShinyHunters has spent the past year running a string of similar mass-hacking campaigns, finding software with a common flaw and then going after every company that uses it. Past targets include organizations running software from Salesforce, Gainsight, and education technology company Instructure, which makes the widely used school portal Canvas.
The group’s playbook is consistent: find the vulnerable software, identify who uses it, steal data, then demand a ransom in exchange for not publishing it. Earlier this year, Instructure confirmed it paid the hackers after they breached the company’s systems twice. During that same campaign, ShinyHunters defaced the login pages of multiple schools using Canvas.
The PeopleSoft campaign follows that same pattern and shows the group is not slowing down. For organizations still running unpatched PeopleSoft servers, Oracle’s guidance is to apply the available mitigations immediately. Oracle did not respond to requests for comment.