The notorious decentralized, black-hat cybercrime group ShinyHunters claimed to have hacked Oracle PeopleSoft servers at more than 100 organizations, with many of them being universities, as per the reports of TechCrunch and BleepingComputer.
Oracle’s PeopleSoft is enterprise software that manages payroll, human resources, administration, and other business operations. If ShinyHunters’ claim becomes true, it will once again establish the threat group’s ability to seamlessly commit mass hacks. The group’s modus operandi is to find a vulnerability in a popular piece of software so that they can compromise many victims at once.
“Student, applicant, financial aid, immigration, health, and administrative data have been exfiltrated,” read a message that the alleged hacker sent to one of the victims, while claiming to have stolen student records that include home addresses, phone numbers, emails, and dates of birth.
The hacker added that most of the targeted schools had already been compromised in earlier, unrelated campaigns.
As per the ShinyHunters, the group’s original goal was to compromise an FBI PeopleSoft server and post a statement denying the group’s involvement behind a wave of swatting attempts the FBI flagged in a May 2026 alert.
As per the researchers, the ShinyHunters attackers had set up their own infrastructure for the operation. Tools related to attacking PeopleSoft environments were reportedly discovered on publicly accessible servers. Scripts designed to identify PeopleSoft systems and gain access via known administrative accounts were also uncovered.
“Traces on these systems indicate that, following a successful breach, attackers automatically post ransom notes on servers within the PeopleSoft environment. In doing so, they attempt to gain SSH access using both passwords and existing authentication keys. One of the organizations that has since publicly confirmed it was the victim of a cyber incident is the University of Nottingham. According to the attackers, data from this institution has since been published on their data leak platform,” stated Techzine.