Over 100 organizations hit by another attack from ShinyHunters

This time, the well-known threat group targeted Oracle’s PeopleSoft software, gaining access to data from over a hundred organizations, including many higher education institutions.

What happened

According to a June 11th, 2026 threat intelligence report from Mandiant, a cybersecurity company owned by Google, dozens of higher education institutions were hit by a cyberattack between May 27th and June 9th. The attack was claimed by the threat group ShinyHunters, which attacked education company Instructure in late April and early May.

When Mandiant discovered the attack, they notified over 100 global organizations that had IP addresses correlated with the vulnerability. While Mandiant didn’t provide the exact numbers, they shared that the majority of the organizations were based in the United States and 68% were in the higher education sector.

Going deeper

The attack was made possible by exploiting a vulnerability in Oracle’s PeopleSoft software, a resource and human capital management software suite used by organizations for tasks like supply chain logistics, payroll, and more.

The exploited vulnerability, named CVE-2026-35273, was found in the Environment Management component of PeopleSoft, which automates system updates. Since Oracle did not know about the vulnerability until the attack, it was considered a zero-day incident. Mandiant provided a technical analysis of the event, including guidance on how organizations that use Oracle can prevent an attack from occurring.

Why it matters

According to the Higher Ed Dive, some organizations were successfully able to block the attack or fix the vulnerability in PeopleSoft before data was accessed. However, some organizations have already begun confirming if they were breached. The University of Nottingham in England, for instance, confirmed that they suffered a cybersecurity breach on June 10th, noting that “a significant amount of data in our student record system has been accessed by an external third party.” Data accessed may have included names, email addresses, financial and insurance information, and more. Information from both students and alumni were impacted, and the school said they will continue to provide updates as they have them.

ShinyHunters contacted BleepingComputer, who confirmed they had attacked Nottingham University and allegedly already published the data. The threat group also stated they would be pressuring victimized organizations to pay a ransom in order to avoid the stolen data from being published. The vulnerability and subsequent attack appears to have had a direct impact on student data, and may lead to other financial consequences if the breaches result in ransoms being paid, lawsuits, or fines.

The big picture

In recent months, ShinyHunters has become a prominent threat group. According to Paubox, in May, the group reached a deal with Instructure, the organization behind Canvas, a platform used by hundreds of educational institutions. Negotiating with ransomware organizations is highly discouraged, but victimized organizations can find themselves in a bind if they are unable to operate without reaching an agreement with attackers. As the newest incident unfolds, it shows that ShinyHunters may be gaining the upperhand in negotiations, a dangerous situation for software companies everywhere, especially in education, which seems to be a primary target for ShinyHunters.

FAQs

How are vulnerabilities named?

Vulnerability names usually start with the phrase “Common Vulnerabilities and Exposure,” or CVE, the year of discovery, and then a unique identifier given by the company MITRE, which runs the CVE list. In some cases, organizations also give the vulnerabilities a specific, more memorable name. Within the vulnerability code, it also shows how many vulnerabilities have been recorded by MITRE across the globe. This year, MITRE has documented over 35,000 vulnerabilities, but many are patched or resolved before an exploitation occurs.

What is a zero-day incident?

A zero-day incident is when a vulnerability is exploited before the organization became aware of it, meaning they had no time to patch or resolve it. The name comes from the fact that there are zero days between discovery and exploitation.