ShinyHunters extorts Oracle PeopleSoft customers in widening data-theft spree
The extortion group ShinyHunters is running a wave of data-theft attacks against organizations using Oracle PeopleSoft, the enterprise software that large institutions rely on for HR, payroll, finance, and student records. Both cloud and on-premises instances are affected, and the gang claims data from more than 100 organizations. Attackers typically log in with stolen employee credentials, move through the PeopleSoft environment, and exfiltrate large datasets before demanding a Bitcoin ransom. A confirmed victim is the University of Nottingham, where a breach of an Oracle student-records system exposed 454,635 accounts. Researchers have shared attacker IP addresses and noted the use of MeshCentral remote-access agents.
- Check
- Review PeopleSoft access logs for logins from unfamiliar IPs or locations, check for MeshCentral or other unexpected remote-access agents, and confirm whether your org received a ShinyHunters extortion demand.
- Affected
- Organizations running cloud or on-premises Oracle PeopleSoft, particularly those with reused or phishable employee credentials and limited monitoring of administrative access to HR, finance, and student-records modules.
- Fix
- Enforce phishing-resistant MFA on all PeopleSoft accounts, rotate exposed credentials, block the shared attacker IPs, remove unauthorized remote-access tools, and tighten access controls and logging on instances.