Future TechnologyFuture Technology
Security

ShinyHunters hit 100+ companies through one Oracle PeopleSoft flaw

· 3 min read · By Nath Connell

Key takeaways

  • ShinyHunters exploited one Oracle PeopleSoft flaw to reach HR and payroll systems at 100+ organisations
  • Nissan is among the confirmed victims; the full list is wider
  • The pattern mirrors the group's earlier Salesforce-linked campaign against HackerOne, Huntress, OneTrust and Snyk
  • Stolen HR data is prime material for targeted phishing, watch for unexpected payroll or benefits contact

One flaw. More than 100 companies. That's the arithmetic behind the latest ShinyHunters campaign, and it's why security teams have spent the week scrambling.

The group exploited a vulnerability in Oracle PeopleSoft, the enterprise software many large organisations use to run HR and payroll. Once inside, they didn't need to break into each company individually. The same flaw opened the same door everywhere PeopleSoft was exposed to it.

Nissan is among the most prominent names confirmed as affected, but the list of victims stretches well beyond car manufacturing. HR and payroll systems hold exactly the kind of data attackers want: names, addresses, national insurance or social security numbers, bank details for salary payments, sometimes health information tied to benefits.

Why this one's different

Most breaches you read about involve a single company falling to a single attack. This is a supply-chain style hit through shared software, similar in shape to the SolarWinds or MOVEit incidents, just aimed at HR platforms instead of file transfer tools or network monitoring.

ShinyHunters has form here. The group ran a similar Salesforce-linked campaign earlier this year that touched HackerOne, Huntress, OneTrust and Snyk. Their playbook is consistent: find one widely used platform, exploit it once, extort many.

Why this matters: if your employer uses Oracle PeopleSoft for HR or payroll, your personal data may already be exposed, whether or not you've heard anything from your employer yet. Watch for notification emails, and be suspicious of any unexpected contact referencing payroll, tax, or benefits, since stolen HR data is prime material for targeted phishing.

Oracle has not detailed a specific patch timeline publicly at the time of writing. Organisations running PeopleSoft on premises should confirm with Oracle support whether their instance received the fix, rather than assuming a cloud-hosted deployment protects them.

Get the Cybersecurity & Privacy Digest

The week's biggest breaches, patches and privacy news, every Friday.

Subscribe free →