Oracle warns of PeopleSoft bug used in mass hacking campaign
11 reported3 unconfirmed
Oracle warned corporate customers of a critical vulnerability in its PeopleSoft software, used for payroll and human resources, after the hacking group ShinyHunters claimed to have breached more than 100 organizations using the software. The security advisory was published Thursday, a day after ShinyHunters took credit for the mass-hacking campaign. Mandiant, the Google-owned security unit, confirmed the flaw is the same bug being abused by ShinyHunters. Oracle has not released a patch for the vulnerability, which can be exploited over the internet without authentication. The company recommended customers apply mitigations to prevent exploitation. Mandiant notified more than 100 global organizations, most in the United States, with about two-thirds in higher education. Some organizations experienced compromise, resulting in stolen data being published on ShinyHunters’ data leak website. Oracle did not respond to TechCrunch’s request for comment.
What’s reported
Oracle warned of a critical vulnerability in its PeopleSoft software.
ShinyHunters claimed to have breached more than 100 organizations using PeopleSoft.
Mandiant confirmed the bug is the same one ShinyHunters is abusing.
Oracle has not released a patch; the bug can be exploited without authentication.
Oracle recommended customers apply mitigations.
Mandiant notified more than 100 global organizations, most in the U.S., with about two-thirds in higher education.
Some organizations experienced compromise, with stolen data published on ShinyHunters’ data leak website.
A ShinyHunters member told TechCrunch the gang compromised companies by abusing an unpatched zero-day flaw.
The hacker shared a message claiming stolen student records included full name, address, phone, email, date of birth, gender, ethnicity, enrollment status, GPA, major, and student ID.
In the last year, ShinyHunters targeted companies using Salesforce, Gainsight, and Instructure.
Earlier this year, Instructure said it paid hackers after a breach; ShinyHunters defaced login pages of schools using Canvas.
Open questions
When Oracle will release a patch for the vulnerability.
The total number of organizations that experienced data theft.
Whether any ransoms were paid by PeopleSoft customers.
Key figures
Oracle (company)
ShinyHunters (hacking group)
Mandiant (Google-owned security unit)
TechCrunch (news outlet)
Lorenzo Franceschi-Bicchierai (TechCrunch reporter)
Sources: TechCrunch
