On June 10, 2026, ShinyHunters, a well-documented cybercrime group known for large-scale data theft and extortion campaigns, was confirmed to have exploited Oracle PeopleSoft vulnerabilities across more than 300 instances at over 100 organizations worldwide. The education sector bore the brunt of the attack, with universities and higher education institutions emerging as the primary victims.
The attack was notable for its combination of sophistication and scale. Rather than targeting a single organization with a tailored exploit, ShinyHunters deployed automated attack scripts capable of scanning and compromising PeopleSoft environments at scale, demonstrating that ERP applications are no longer too obscure or complex to attract organized, industrialized cybercrime.
IMMEDIATE ACTION REQUIRED
Check your PeopleSoft logs NOW for connections from the following attacker-controlled IPs: 142.11.200[.]186–190, 108.174.202[.]99, 176.120.22[.]24. Also search for a ransom file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT.
Scale of the Attack
| Claimed Attack Dimension | Detail |
|---|---|
| Instances compromised | 300+ PeopleSoft instances |
| Organizations breached | 100+ organizations |
| Primary sector affected | Higher education / universities |
| Deployment types affected | Both cloud-hosted and on-premises |
| Known IOC attacker IPs | 142.11.200[.]186–190, 108.174.202[.]99, 176.120.22[.]24 |
| Known IOC domain | azurenetfiles[.]net |
| Known IOC ransom artifact | README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT |
| Admin accounts targeted | psoft, oracle, linuxadm |
These numbers reflect ShinyHunters’ self-reported claims, which were confirmed to BleepingComputer and TechCrunch by a member of the group. They have not been independently verified. ShinyHunters themselves acknowledged the attack fails on some systems and that results depend on how each instance is configured. The only publicly confirmed victim as of June 11, 2026, is an educational institution that acknowledged a cybersecurity incident and confirmed that ShinyHunters had published more than 40 GB of stolen data covering nearly 500,000 current and former students across its campuses in the UK, Malaysia, and China.
How the Attackers Breached PeopleSoft? Technical Anatomy of the Attack
The Vulnerability Chain
ShinyHunters exploited what security researchers describe as a “gadget chain” a sequence of both known (old) and previously undisclosed (zero-day) vulnerabilities in Oracle PeopleSoft.
On June 10, 2026, the same day attacks were reported, Oracle published an out-of-band security alert for CVE-2026-35273, a critical vulnerability affecting PeopleTools 8.61 and 8.62 that is remotely exploitable without authentication and may result in remote code execution. Oracle credited Trend ZDI / Trend Research for the report. A patch availability document is accessible to customers with an active Oracle support account.
The vulnerability chain enabled attackers to:
- Authenticate as privileged users or bypass authentication entirely
- Execute actions through PeopleSoft’s application layer as a legitimate user
- Access and extract records via legitimate application APIs
- In some cases, gain full administrative control of the application
This is significant because it means the attackers operated within PeopleSoft’s own application logic — not through a direct database exploit. They looked, to the application, like legitimate users. Without application-layer monitoring and policy enforcement, there was nothing to alert defenders that anything was wrong.
Credential Exploitation and Configuration Weaknesses
The zero-day vulnerability chain was only part of the story. A significant contributor to attack success across affected organizations was systemic misconfiguration and poor security hygiene exploits.
Based on external analysis by Michael R, the script runs after an environment is breached via the vulnerability chain, it parses to etc hosts to identify internal PeopleSoft systems, connects via SSH using the common admin accounts (psoft, oracle, linuxadm), and drops the ransom note.
When password-based authentication failed, attackers fell back to SSH key-based authentication. This script is a post-breach lateral-movement and ransom-delivery mechanism, not the documented initial access vector. The initial access is attributed to CVE-2026-35273 and related gadget-chain vulnerabilities.
What Organizations Must Do Right Now?
Immediate Actions (Next 24–48 Hours)
Regardless of whether you are a current Pathlock customer, every organization running PeopleSoft should take the following steps immediately:
- Search your PeopleSoft logs for connections from known ShinyHunters IP addresses: 142.11.200[.]186–190, 108.174.202[.]99, 176.120.22[.]24. If found, initiate incident response immediately.
- Search your PeopleSoft web and application server directories for a file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT. Its presence confirms a successful breach.
- Immediately disable or rotate credentials on all default PeopleSoft administrative accounts: psoft, oracle, linuxadm.
- Audit all recently created user accounts in PeopleSoft. Attackers frequently create backdoor accounts to maintain persistent access.
- Verify your X-Forwarded-For header configuration. If this is misconfigured, you may be blind to IP-based indicators of compromise even if you have some logging in place.
- Flag any unusual permission changes, emergency access grants, or new admin-level roles created in the last 30 days.
- Identify and audit any accounts with toxic combinations of privileges, particularly accounts with broad read access to HR, payroll, financial aid, or student records combined with the ability to run PeopleSoft queries.
Short-Term Hardening (Next 30 Days)
Beyond the immediate response, organizations should prioritize the following hardening actions:
- Enforce MFA at the application layer — not just at the IdP,including for administrative accounts that do not go through your Identity Provider.
- Implement IP whitelisting for administrative access. Admin accounts should be restricted to known, internal IP addresses. External connections from unknown IPs should be blocked automatically.
- Deploy application-layer activity logging that captures field, page, and component-level user activity, including record views, queries, and data downloads, with full session metadata (IP, user ID, timestamp, browser).
- Establish real-time anomaly detection that monitors for authentication failures, unusual login patterns, off-hours access, and geographic impossibilities.
- Implement dynamic data masking on sensitive fields (SSNs, bank account numbers, compensation, health data) so that even authenticated users see only masked values unless they explicitly request access, and every such request is logged.
- Ensure all high-privileged access goes through Single Sign-On, closing the side-door bypass that allows admin accounts to authenticate directly to PeopleSoft without going through your IdP.
How Pathlock Can Help
Pathlock operates as a hardened, lightweight security layer that installs as a plug-in on PeopleSoft’s web server, requiring no additional hardware, no custom development, and no disruption to future PeopleSoft updates. It operates between the browser and the application, evaluating every access request in real time against a unified policy and rules engine.
Each of the five structural gaps that enabled the ShinyHunters attack maps directly to a Pathlock control:
| Attack Vector | Pathlock Control That Addresses It |
|---|---|
| Default and weak admin credentials | Pathlock enforces MFA at login and at the application layer for all users — including admin accounts not in the IdP — blocking access even with valid credentials unless a second factor is provided. |
| No MFA for admin accounts | Pathlock’s Zero Trust policy engine enforces MFA at login, inline, and at specific high-sensitivity pages, fields, and components — not just at the IdP boundary. |
| No IP-based access controls | Pathlock evaluates every access request against IP address, geographic location, device type, and time of day. Connections from external IPs using admin accounts are automatically blocked or trigger step-up authentication. |
| No granular activity logging | Pathlock logs every action at the field, page, and component level, including record views, queries, and downloads, with full session metadata, enabling rapid forensic investigation. |
| No real-time anomaly detection | Pathlock monitors login trends, authentication failures, unusual after-hours access, and geographic anomalies in real time. Brute-force credential spraying would have triggered immediate alerts. |
The Layered Security Model: Why All Three Layers Must Work Together
Pathlock’s architecture enforces security simultaneously across three distinct layers — connected through a single policy engine:
Layer 1: Application Layer
SAML/ADFS integration connects PeopleSoft to enterprise identity providers (Okta, Azure AD, Ping Identity). SSO is enforced natively. MFA is required at login, inline, or at specific high-sensitivity pages and fields. Critically, this layer covers administrative accounts that would otherwise bypass IdP-based authentication entirely.
Layer 2: Transaction Layer
Zero Trust policies evaluate the full context of every access request in real time. Unusual access, foreign IP, off-hours, unknown device, default admin account trigger automatic blocks or step-up MFA challenges before any data is reached.
Layer 3: Data Layer
Dynamic Data Masking protects sensitive fields (SSNs, bank accounts, compensation, health data) at the UI level. Even with valid application access, attackers see only masked values. Click-to-view masking logs every intentional data exposure for audit and compliance purposes.
Get a Free Security Assessment with Pathlock
Schedule a focused PeopleSoft security assessment with Pathlock to evaluate potential exposure to current threats, identify gaps in access and controls, and walk away with prioritized actions to strengthen your security posture.
