Oracle Patches PeopleSoft Bug After ShinyHunters Claims Mass Hack of 100+ Companies

Oracle waited a full day to warn its customers about a critical security hole in PeopleSoft — the same day a hacking group bragged about using it to break into more than 100 companies.

The software giant published the advisory on Thursday, June 11, 2026. By then, the cybercrime group ShinyHunters had already claimed responsibility for a mass-hacking campaign targeting PeopleSoft servers worldwide.

PeopleSoft is Oracle's enterprise software for managing payroll, human resources, and employee data. Large corporations and government agencies rely on it to store everything from salary details to Social Security numbers. A compromise means attackers can walk away with a complete employee database.

The vulnerability carries a critical severity rating. Oracle didn't say how long the bug existed before ShinyHunters found it, or whether the company knew about it before the group's public boast.

ShinyHunters is a well-known cybercrime group with a track record of large-scale data breaches. In 2021, the group stole and leaked data from over 60 companies, including Microsoft, AT&T, and Nokia. This latest campaign appears to be one of their most ambitious — targeting over 100 organizations in a single wave.

Oracle hasn't confirmed the full list of breached companies. The advisory urges all PeopleSoft customers to apply the patch immediately. The company said it's not aware of any active exploitation beyond what ShinyHunters has claimed.

Security researchers have already reverse-engineered the patch. They found that the bug allows remote code execution without authentication — meaning an attacker can take full control of a PeopleSoft server simply by sending a malicious request over the internet. No login needed.

For the companies affected, the fallout is just beginning. Payroll and HR systems contain highly sensitive personal data. If ShinyHunters follows its usual playbook, the group will try to sell the stolen data on underground forums or extort victims before leaking it publicly.

Oracle hasn't said whether the U.S. government or law enforcement has been notified. The company typically coordinates with the FBI and CISA on major vulnerabilities, but the timing of this advisory — after the breach was made public — suggests the response was reactive.

ShinyHunters hasn't revealed how many of the 100+ breaches it has already completed. The group posted a teaser on a cybercrime forum, hinting that more details would follow. Companies that use PeopleSoft should assume they're at risk until they confirm they've patched.

This isn't the first time Oracle has been caught flat-footed. In 2022, the company patched a critical flaw in its WebLogic server months after researchers warned it was being actively exploited. The PeopleSoft incident follows a similar pattern: the hackers strike first, the advisory comes after.

The response depends on how quickly the targeted companies can act. Oracle's patch is out. The clock is ticking. Every day a PeopleSoft server stays unpatched is another day ShinyHunters — or anyone else who reverse-engineers the fix — can walk right in.