Search TorWire

Find cybersecurity guides and research articles

Home > News > Cybersecurity > ShinyHunters Claims Massive PeopleSoft Hack Targeting Over 100 Organizations

ShinyHunters Claims Massive PeopleSoft Hack Targeting Over 100 Organizations

By: Morgan Cipher Senior Privacy Journalist

Last updated: June 12, 2026

Human Written
ShinyHunters Claims Massive PeopleSoft Hack Targeting Over 100 Organizations
  • ShinyHunters claims they stole data belonging to more than 100 organizations by hacking into Oracle PeopleSoft servers using a mix of old and new vulnerabilities.

  • The group targeted schools the most and even tried, but failed, to breach an FBI portal running PeopleSoft.

  • Experts found exposed online tools, specific IP addresses, and a ransom note script that reveals how the hackers moved inside networks.

Some hackers breached Oracle PeopleSoft servers, and over a hundred organizations took the hit. This attack is reportedly ongoing. Both Cloud and on-premise PeopleSoft environments were affected. 

The attackers carted away so much sensitive information, according to reports. They took student data, employee records, and a lot more. And currently, they’ve started demanding ransom from the victims.

How the Attacks Work

ShinyHunters has reportedly claimed responsibility for the attack. The hacker group confirmed that they stole data from 300 separate PeopleSoft instances.

PeopleSoft is a well-known software suite that a lot of companies use in managing their payroll, human resources and finance. Schools also use it for student administration. Many big universities and businesses rely on PeopleSoft for their day-to-day operations.

The hackers say they use a “gadget chain” of vulnerabilities. That means they combine older bugs with brand new ones, called zero-days. But the attacks do not work on every system. Success seems to depend on how each customer sets up their PeopleSoft environment.

Oracle did not reply when asked if the company knows about a zero-day being used in these attacks.

Schools Take the Biggest Hit

Most of the victims are in the education sector. And according to the hacker group, they’ve already extorted money from most of those institutions before. What category of data did they steal? Very sensitive info, student records, financial aid details, and immigration data. They swiped health information and administrative files as well.

Similar extortion tactics are being used elsewhere. Hackers claim to have stolen 3 million Cisco records and are demanding payment before releasing the data. In addition, the hackers also collected home addresses, phone numbers, e-mails, and birthdates from their victims as well.

One confirmed victim is the University of Nottingham. The university acknowledged a cybersecurity incident. ShinyHunters already published Nottingham’s data on its public leak site.

The group had a bigger target in mind first. They wanted to hack an FBI portal that runs PeopleSoft. Their goal was to post a statement denying they were behind a wave of swatting attempts the FBI warned about last month. But the hack failed. They could not get into the FBI’s system.

Clues Left Behind

Even though Oracle has not said anything publicly, a security researcher named “Michael R” found exposed online directories. Those directories contained tools linked to the attacks. The researcher saw staging materials, MeshCentral agents, a defacement script, and a credential spray script.

The researcher also shared a list of IP addresses tied to the attacks. Those addresses include:

  • 142.11.200.186
  • 142.11.200.188
  • 142.11.200.187
  • 142.11.200.190
  • 142.11.200.189
  • 108.174.202.99
  • 176.120.22.24

Some of these IPs use a TLS certificate with the name “azurenetfiles.net.” That domain connects back to ShinyHunters from past attacks.

Five of the servers exposed a .bash_history file. That file contained a shell script that creates a note tagged README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT on PeopleSoft servers after breaking in.

How does this script work? It reads the /etc/hosts file to find PeopleSoft systems. Then it tries to connect to them over SSH. It uses common admin accounts like ‘psoft’, ‘oracle’, and ‘linuxadm’. If a password fails, it tries SSH keys instead. Once connected, it drops the ransom note into the PeopleSoft web and application server folders.

What’s Next for CISOs

Security leaders need to act fast. First, check your PeopleSoft logs for connections from those IP addresses. Also, look for unusual SSH activity and odd admin behavior.

Second, harden your admin accounts. Rotate credentials. Audit all key-based access. Restrict remote administration paths as much as possible.

Third, if you suspect a compromise, pull exposed PeopleSoft systems offline right away. Keep them disconnected while your team investigates and secures the environment.

ShinyHunters have made mass hacks their specialty. They look for one weak spot in popular software and hit many victims at once. This time, they hit schools and businesses where it hurts the most: their core management systems.

Share this article

About the Author

Morgan Cipher

Morgan Cipher

Senior Privacy Journalist

Morgan combines a journalist’s curiosity with a security specialist’s precision. His reporting on data breaches, privacy laws, and encryption tech has been featured in several tech publications. At TorWire, he focuses on real-world threats and how to counter them, always with an eye on what’s next in digital privacy.

Comments (0)

No comments.