ShinyHunters has confirmed it breached 300 Oracle PeopleSoft instances across more than 100 organizations in an ongoing extortion campaign, with the education sector hardest hit and the University of Nottingham already reporting the intrusion to the Information Commissioner’s Office, as required under GDPR breach-notification rules.
PeopleSoft is Oracle’s enterprise resource planning suite: HR, payroll, finance, and student administration. The gang told BleepingComputer it’s using a “gadget chain” of old and zero-day vulnerabilities, though exploitation success varies by instance configuration. Exposed staging infrastructure, discovered by researcher Michael R, included MeshCentral agents and SSH scripts targeting Oracle administrative accounts (‘psoft’, ‘oracle’, ‘linuxadm’) via both password and key-based authentication, running on servers tied to ‘azurenetfiles[.]net’, a domain previously linked to the group.
The group’s stated initial target was an FBI portal running PeopleSoft, which it failed to breach. Seven IOCs were published, including a 142.11.200.186-190 IP block. Oracle hadn’t responded to a request for comment as of publication.
PeopleSoft’s education-sector installations carry a specific risk: student record systems hold financial data, personal identifiers, and cross-campus records spanning international jurisdictions, driving up extortion leverage. Nottingham’s breach covered campuses in Malaysia and China, with billing records, student finance details, and personal identifiers already published on the ShinyHunters leak site. Any PeopleSoft administrator in higher education should treat these IOCs as a code-red log-review.
No Oracle security advisory has been issued. The ICO investigation is open.
— James Okafor