The cybercrime group ShinyHunters exploited a critical zero-day flaw in Oracle PeopleSoft between May 27 and June 9, 2026, breaching more than 100 organizations — 68 percent of them colleges and universities, mostly in the United States. Stolen records include names, home addresses, phone numbers, dates of birth, ethnicity, GPA, major, student IDs, and in some cases passport numbers and disability status. Oracle published its security advisory on June 10. Here is what you need to do now.

If your college uses Oracle PeopleSoft — and a large share of U.S. institutions do — your student records may have been swept up in the most serious higher education data breach of 2026.

This is not the same breach as the Canvas/Instructure attack in May. Same criminal group, completely different system, and far more sensitive data.

What Happened and When

The vulnerability, CVE-2026-35273, is a remote code execution flaw in Oracle PeopleSoft Enterprise PeopleTools with a severity rating of 9.8 out of 10. It required no login and no user interaction — just network access over HTTP — to take over a server.1

Attacks ran from May 27 through June 9, 2026. Oracle did not publish its security advisory until June 10, which means the flaw was a zero-day for the entire attack window. Universities could not patch their systems in time because no patch existed yet.

The cybersecurity firm Mandiant notified more than 100 organizations whose server addresses matched vulnerable endpoints. Sixty-eight percent of those organizations were in higher education, the vast majority of them U.S. colleges and universities.

The University of Nottingham is among the first confirmed victims publicly named. The leaked data set appeared in Have I Been Pwned shortly after the advisory was published, containing approximately 455,000 unique email addresses from current students and alumni.2

What Data Was Taken

PeopleSoft is not a learning management system like Canvas. It is a Student Information System — the administrative database your university uses for enrollment, billing, financial aid records, and academic history. The data it holds is far more sensitive than what Canvas ever sees.

According to security reporting on the leaked records, the exposed data includes:

  • Full legal name, home address, phone number, and email address
  • Date of birth
  • Gender, ethnicity, and in some cases disability status
  • Enrollment status, GPA, academic major, and student ID number
  • Passport numbers (for international students, in some cases)

Ethnicity and disability status are among the most protected categories of student information. If your university was breached, that data may now be in criminal hands. Under state data breach notification laws, universities are required to notify affected students — but in most states that process can take 30 to 60 days.

This Is the Second ShinyHunters Strike on Higher Ed in Six Weeks

In May, the same group breached Instructure's Canvas platform, hitting roughly 9,000 schools worldwide. That breach exposed names, emails, student IDs, and messages between users — serious, but lighter data.

The Oracle PeopleSoft breach is more severe. PeopleSoft holds financial aid records, GPA history, and sensitive personal data that creates real identity theft and discrimination risk.

The Canvas ransom settlement update from late May showed how slowly these situations get resolved from the institution's side. Students affected by the PeopleSoft breach should not wait for their school to act first.

Three Things Most Students Won't Think to Do

1. Check Have I Been Pwned today. Go to haveibeenpwned.com and search both your .edu email address and your personal email. The ShinyHunters dataset was loaded into this free public database shortly after the breach was confirmed. If your address appears, you have direct confirmation your data was in the leak — without waiting for your university's notification.

2. Call your registrar's office and ask a direct question. Ask whether your institution was among those notified by Mandiant. Many schools will not proactively reach out until their legal review is complete. But they are required to answer your question truthfully. Document the response in writing.

3. The zero-day timing affects your options. Because Oracle had not published a patch before the attack window closed, your university almost certainly could not have prevented the breach through routine patching alone. However, institutions that had not restricted external network access to their PeopleSoft servers may face additional scrutiny. If you decide to file a complaint with your state attorney general's office, that technical detail is relevant to include.

If you are an international student and your passport number was part of the exposed data, contact your country's consulate or embassy to report the compromise. Ask for a written record of your report — some passport authorities accept documented breach notifications when you need to explain a reissuance request.

What to Do Right Now

  1. Search your .edu and personal email at haveibeenpwned.com
  2. Contact your registrar and ask whether your institution was among those Mandiant notified
  3. Place a free credit freeze at all three bureaus (Equifax, Experian, TransUnion)
  4. Log in to studentaid.gov and review your FAFSA account for unauthorized changes — the fraud detection systems upgraded in April 2026 may catch activity, but verify yourself
  5. Monitor your email carefully for phishing attempts that reference your real academic information, GPA, or major — details from the stolen data that would make a fake message look credible

What to Watch for Next

Affected schools are likely to send official notifications over the next two to four weeks as investigations wrap up. Watch for communications from your registrar or IT security office. Be suspicious of any email about this breach that comes from an unfamiliar address — criminals may use the stolen contact data to run targeted phishing campaigns.

For broader context on identity fraud in higher education, the FAFSA Ghost Students Act passed earlier this year shows how seriously Congress has begun treating fraudulent use of student records. If you want to understand your rights when a university mishandles your records, the FAFSA step-by-step guide covers how to secure your federal student aid account — a critical layer given that PeopleSoft holds financial aid history.

Staying ahead of a breach like this is harder than staying ahead of everyday campus safety risks, but the steps are the same: act early, ask direct questions, and don't assume someone else is handling it for you.

Footnotes

  1. TechCrunch. (2026, June 10). Cybercriminals claim breach of Oracle PeopleSoft servers at 100-plus organizations. TechCrunch. https://techcrunch.com/2026/06/10/cybercriminals-claim-breach-of-oracle-peoplesoft-servers-at-100-plus-organizations/

  2. The Register. (2026, June 11). ShinyHunters hacked 100+ orgs by exploiting an Oracle PeopleSoft 0-day. The Register. https://www.theregister.com/cyber-crime/2026/06/11/shinyhunters-claims-oracle-peoplesoft-0-day-hit-100-orgs/5254443