ShinyHunters claims breach of Oracle PeopleSoft at 100 organizations

ShinyHunters says it has compromised Oracle PeopleSoft servers at more than 100 organizations, a claim that puts legacy campus and workplace systems back in the spotlight because they often sit behind HR, payroll, finance, procurement and student records. The allegation points less to a flaw in PeopleSoft itself than to the weakness around it: stolen credentials, intercepted logins and a patchwork of security practices that can leave institutions exposed long after attackers have moved in.

Google Threat Intelligence said on January 30, 2026, that ShinyHunters-branded activity was using voice phishing, victim-branded credential-harvesting sites, stolen single sign-on credentials and multifactor authentication codes to break into corporate environments and then exfiltrate data from cloud and SaaS systems. Google said the activity was not caused by a vendor product vulnerability but by social engineering, and recommended phishing-resistant multifactor authentication such as FIDO2 security keys or passkeys. Oracle’s security pages identify PeopleSoft as one of the products covered by its alerts and patch updates, and Oracle said its monthly Critical Security Patch Updates began on May 28, 2026.

The scale of the claims has already shown up in higher education. In June 2026, the University of Nottingham said a “significant amount of data” in its student record system was accessed, and reporting on the case said ShinyHunters claimed to have stolen more than 40 GB of billing, payment, student finance and campus portal data spanning the university’s United Kingdom, Malaysia and China campuses. The same group was also linked earlier in 2026 to data theft at Harvard University and the University of Pennsylvania, where more than 1 million records from each school were published after the universities attributed their incidents to social engineering or voice phishing.

TechCrunch reported that ShinyHunters said it published the Harvard and Penn material after the schools refused to pay ransom demands. BleepingComputer said the PeopleSoft campaign is ongoing, underscoring how the theft of one set of credentials can threaten a wide set of institutional records at once.

Oracle has also continued issuing 2026 security advisories across its product line, including an alert addressing CVE-2026-21992 that said it was remotely exploitable without authentication. For schools, agencies and employers still running PeopleSoft, the warning is stark: attackers do not need to break the software when they can simply steal the keys to it.