A Hacking Group Claims to Have Stolen Data From Over 100 Companies Using Oracle Software
A Hacking Group Claims to Have Stolen Data From Over 100 Companies Using Oracle Software
A financially motivated hacking group called ShinyHunters has claimed responsibility for stealing data from Oracle PeopleSoft servers at more than 100 organizations, according to reports published on 10 June 2026 by TechCrunch and BleepingComputer.
The group has not named the affected organizations publicly. But if the claim is true, the sheer number of targets — more than a hundred — makes this one of their largest campaigns yet.
Who Is ShinyHunters
ShinyHunters has been active since at least 2019. They are a gang of financially motivated cybercriminals who break into computer networks, steal sensitive data, and then demand payment to keep the data private or to prevent its sale on dark-web marketplaces — essentially extortion.
Their methods have changed over time. Early on, they used straightforward techniques like trying stolen passwords on multiple accounts or finding exposed source code (the instructions that make software work). More recently, they have moved toward targeting cloud-based business software and using social engineering — tricking people into revealing passwords by phone or email — to break in.
This gang has been linked to breaches affecting hundreds of millions of records over the years. Several alleged members have faced criminal charges in multiple countries.
The Target: Oracle PeopleSoft
Oracle PeopleSoft is business management software used by large organizations for decades. Universities, government agencies, hospitals, and multinational companies rely on it to manage employee information, payroll, and financial records. Many organizations run this software on their own servers or in hybrid setups, which means each company is responsible for keeping it secure and up to date — rather than relying on Oracle to manage security for them.
This setup creates problems. When security vulnerabilities — the digital equivalent of a hole in a lock — are discovered in PeopleSoft, different organizations patch them at different speeds or not at all. Some may never apply fixes. This uneven security posture makes the software an attractive target for hackers.
Additionally, software this old often has outdated security features baked into its design. Authentication methods may have been cutting-edge 15 years ago but are now considered weak. Integrations between PeopleSoft and other software may have been built before modern security standards existed. These legacy vulnerabilities accumulate over time and become harder to fix without rebuilding entire systems.
What Data May Have Been Compromised
If the breach claim is real, the data at risk is significant. PeopleSoft systems typically store employee names, addresses, Social Security numbers, payroll information, and benefits enrollment data. Financial modules contain vendor contracts, procurement records, and other business-sensitive information. Across 100 organizations, that adds up to a very large amount of sensitive information.
As of now, Oracle has not made an official public statement about the claims. No official security advisory or identified vulnerability was publicly linked to this campaign. This gap between a hacker's claim and official acknowledgment is normal in the early hours after a breach is reported. It does not mean the claim is true or false — it simply shows where the public record stands at this moment.
Why This Matters
The strategy here is familiar to anyone who watches cybercrime closely. A hacker who claims to have broken into 100 organizations at once puts enormous pressure on security teams across those companies. Many will scramble to check their own systems. Some may decide it is easier to pay a ransom than to investigate what happened and admit to a breach publicly. The attacker benefits from this panic. We have seen this playbook before — in 2023, a hacking group used a vulnerability in widely deployed file-transfer software to break into hundreds of companies at the same time and demand payment from many of them. The pattern is the same: a single tool or platform used widely, a claim of mass compromise, and a criminal group trying to extort money at scale rather than attacking individual organizations one at a time.
What Companies Should Do Now
If your organization uses Oracle PeopleSoft — especially if you run it on your own servers — you should not wait for Oracle to confirm the breach before taking action. Here is what to check:
- Look for public-facing access points. Any part of PeopleSoft that connects to the internet, particularly login pages or data-sharing portals, should be reviewed immediately.
- Check your access logs. Look for unusual activity — logins at odd hours, service accounts doing things they normally do not do, or data being pulled out of the system that should not be.
- Watch for data leaving your network. Large amounts of data being sent to unfamiliar computers or websites warrant investigation.
- Apply the latest security patches. Oracle releases security updates regularly. Confirm that recent patches have been installed on your PeopleSoft systems.
- Contact Oracle directly. If you have a support contract, open a case with Oracle. They may have additional information about this campaign.
It is also worth checking whether any third-party companies — like software providers or managed IT services — have access to your PeopleSoft environment. ShinyHunters has used these kinds of supply-chain connections to break into companies in the past.
The Takeaway
At this moment, the claims are unverified by Oracle or by any named victim coming forward publicly. Whether 100 organizations were actually compromised, or whether the number turns out to be smaller, this incident is a reminder that older enterprise software — maintained by busy IT teams who assume that obscurity provides protection — can still be attractive to determined attackers.
For IT security teams and company leaders, the lesson is straightforward: do not wait for an official confirmation before checking your own systems. When a hacker makes claims this specific, it is worth investigating immediately, regardless of what the vendor or the news media eventually confirms.
