A critical vulnerability in Oracle's PeopleSoft software has been exploited by hackers to breach over 100 organizations, including universities and businesses, resulting in the theft of sensitive student and employee data. The ShinyHunters extortion gang claims to have stolen data from more than 100 organizations running Oracle PeopleSoft software, with three hundred instances breached and forty gigabytes of data from Nottingham University alone.
What Happened
The vulnerability, tracked as CVE-2026-35273, allows unauthenticated attackers to completely take over PeopleSoft systems. The bug is remotely exploitable without authentication, may result in remote code execution, and affects PeopleSoft PeopleTools versions 8.61 and 8.62 (and possibly earlier, unsupported ones as well). Oracle credited researchers with TrendAI Zero Day Initiative and TrendAI Research for reporting the vulnerability.
ShinyHunters claimed to have breached over 100 organizations using a "gadget chain" of old vulnerabilities and zero-days to break into PeopleSoft systems. The hackers originally wanted to breach an FBI portal running PeopleSoft, but that attempt failed, so they pivoted to softer targets, including universities. Nottingham University confirmed the breach, with student records, employee data, alumni information, and other sensitive data stolen and published.
Background and Context
The ShinyHunters extortion gang has been targeting organizations that use Salesforce, Gainsight, and education software provided by Instructure. The group tries to steal corporate or customer data and then threatens to release it unless the victims pay a ransom. Earlier this year, education tech company Instructure said it paid the hackers after they breached the company's systems twice.
Mandiant, the Google-owned security unit that investigates cyberattacks, warned in a blog post that the new Oracle flaw is the same bug that the ShinyHunters group is abusing in its hacking campaign targeting PeopleSoft customers. The cybersecurity firm confirmed that it has also notified more than “100 global organizations,” most of them in the United States, in an effort to restrict access to their potentially vulnerable systems.
Why It Matters
The vulnerability and subsequent breach have significant implications for adult-industry platforms and operators. The exploit allows unauthenticated attackers to completely take over PeopleSoft systems, which could lead to data breaches, unauthorized access, and other security risks. The fact that the ShinyHunters gang has been targeting organizations using PeopleSoft software highlights the importance of patching vulnerabilities in a timely manner.
Adult-industry platforms and operators rely on secure infrastructure to protect sensitive customer data. A breach of this nature could compromise not only customer data but also business operations, leading to financial losses and reputational damage. The industry must take proactive measures to ensure that their systems are secure and up-to-date, including implementing robust security protocols, conducting regular vulnerability assessments, and staying informed about emerging threats.
What Comes Next
Oracle has released an emergency patch for the critical vulnerability, but it is unclear whether a patch is currently available to all customers. The company recommended that customers who use PeopleSoft software apply its mitigations to prevent exploitation. Mandiant and other cybersecurity firms are working with affected organizations to restrict access to their potentially vulnerable systems.
The ShinyHunters gang has claimed responsibility for the breach, but it is unclear whether they will continue to target PeopleSoft users or move on to other vulnerabilities. The incident highlights the importance of staying vigilant and proactive in addressing emerging threats and vulnerabilities.
Key Facts
- The ShinyHunters extortion gang claims to have breached over 100 organizations using a "gadget chain" of old vulnerabilities and zero-days to break into PeopleSoft systems.
- The vulnerability, tracked as CVE-2026-35273, allows unauthenticated attackers to completely take over PeopleSoft systems.
- Oracle credited researchers with TrendAI Zero Day Initiative and TrendAI Research for reporting the vulnerability.
- Mandiant confirmed that it has also notified more than “100 global organizations,” most of them in the United States, in an effort to restrict access to their potentially vulnerable systems.
- Nottingham University confirmed the breach, with student records, employee data, alumni information, and other sensitive data stolen and published.
