Cybercrime gang ShinyHunters linked to Oracle PeopleSoft and MICROS

The notorious ShinyHunters cybercrime group has announced a wave of data‑theft attacks against Oracle PeopleSoft servers at more than 100 organizations, while separate malware infections have compromised the Oracle MICROS point‑of‑sale (POS) division and five additional POS vendors [1].

Key takeaways

• ShinyHunters says it breached roughly 300 PeopleSoft instances across 100+ firms, many of them universities [3].
• Stolen data includes student and applicant records—addresses, phone numbers, emails and dates of birth—plus financial aid, immigration and health details [4].
• The group’s original aim was to hack an FBI PeopleSoft portal, a plan that failed [2].
• Malware in the Oracle MICROS troubleshooting portal stole login credentials and spread to five other POS vendors, affecting hundreds of thousands of locations [6].
• Researchers have identified specific IP addresses linked to the attacks; organizations are advised to check logs and isolate affected systems [5].

ShinyHunters’ PeopleSoft campaign

According to a member of the ShinyHunters gang, the attackers exploited a mix of old and zero‑day vulnerabilities—referred to as a “gadget chain”—to target both cloud‑based and on‑premises PeopleSoft installations [3]. The group claims to have compromised about 300 PeopleSoft instances, resulting in data exfiltration from more than 100 organizations, with universities forming the bulk of victims [1]. Extortion notes sent to victims list the stolen information as student and applicant records, including home addresses, phone numbers, email addresses, dates of birth, and additional administrative, immigration, health and financial‑aid data [4]. Nottingham University (UK) confirmed a breach and reported that the leaked data appeared on the ShinyHunters leak site [5].

The gang’s initial objective, as described by the insider, was to infiltrate an FBI PeopleSoft server and post a statement denying ShinyHunters’ involvement in recent swatting attempts flagged by the FBI. That specific attempt was unsuccessful, and the group shifted focus to broader mass hacks [2].

MICROS POS division infection

In a separate incident, researchers discovered that attackers had compromised the troubleshooting portal of Oracle’s MICROS payment‑terminal division. The malware harvested customer login credentials, which were then used to gain control of MICROS POS terminals deployed in more than 330,000 locations worldwide [6]. The infection spread to five additional POS vendors, extending the threat to hundreds of thousands of companies across the United States [6]. Security analysts have traced the activity to a set of IP addresses—142.11.200.186 through 190, 108.174.202.99 and 176.120.22.24—providing indicators of compromise for organizations to monitor [5].

Why it matters

The dual‑front attacks illustrate how a single cybercrime group can leverage vulnerabilities in both enterprise resource planning software and retail payment systems, amplifying the potential impact across education, government and commerce sectors. For organizations running Oracle PeopleSoft, immediate log analysis, credential rotation and incident response are critical steps, as recommended by security researchers [5]. Likewise, firms using Oracle MICROS POS solutions must verify that no unauthorized access has occurred, reset affected passwords and isolate compromised terminals to prevent further credential theft [6]. The incidents underscore the importance of patching known vulnerabilities promptly and monitoring for suspicious network activity, especially given the group’s demonstrated ability to combine legacy flaws with zero‑day exploits.