Oracle warns of security bug that hackers abused to breach 100+ companies

Oracle warned its corporate customers on June 10, 2026, about a critical-rated vulnerability in its PeopleSoft software, used for payroll and human resources management. The flaw, identified as CVE-2026-35273, was exploited by the cybercrime group ShinyHunters to breach over 100 organizations, primarily targeting higher education institutions in the U.S. The advisory followed ShinyHunters’ claim of compromising PeopleSoft servers, with Mandiant confirming the group’s activity and notifying over 100 global organizations, most in the U.S. The bug is a zero-day, meaning Oracle had no prior warning before it was exploited. Mandiant reported that two-thirds of affected organizations were universities, with stolen data—including student records—published on ShinyHunters’ leak site. Oracle stated the vulnerability can be exploited over the internet without authentication and urged customers to apply mitigations until a patch is released. The company did not provide a patch at the time of reporting. ShinyHunters claimed to have stolen hundreds of thousands of student records, including names, addresses, phone numbers, and academic details from multiple campuses. This attack marks another in a series by ShinyHunters targeting vulnerable software, including prior breaches of Salesforce, Gainsight, and Instructure customers. Mandiant noted that while some organizations blocked the activity or remediated vulnerabilities, others suffered data theft. Oracle has not responded to requests for comment on the breach or patch timeline.