ShinyHunters Exploit Oracle Zero-Day to Breach Universities

Michael Miller · 2026-06-11

The ShinyHunters extortion crew has been making headlines again. This time, they exploited an unpatched flaw in Oracle PeopleSoft to break into enterprise systems, steal sensitive data, and demand payment to keep it private. The campaign hit universities hardest, exposing the vulnerabilities that even major institutions face when security patches lag behind. ### The Zero-Day Vulnerability The bug in question is CVE-2026-35273. It's a zero-day, meaning Oracle had no idea it existed until attackers started using it. Google's Mandiant, a top cybersecurity firm, tracks the group behind this as UNC6240. They pinpointed the activity between May 27 and June 9. Oracle didn't publish its advisory until June 10, so the bug was a ticking time bomb for over two weeks. For universities, this is a nightmare. They store everything from student records to research data. When ShinyHunters got in, they likely grabbed Social Security numbers, financial aid info, and intellectual property. The group then threatened to leak it all unless paid off. ### How the Attack Worked ShinyHunters used a technique that's both simple and devastating. They found the flaw in Oracle PeopleSoft, which is a common enterprise resource planning system. Think of it like a master key to a building. Once they had that key, they could open any door. - **Initial Access:** The exploit gave them a foothold in the network. - **Lateral Movement:** From there, they moved sideways, accessing databases and file servers. - **Data Exfiltration:** They stole what they could, likely terabytes of data. - **Extortion:** Then came the demand: pay up or we publish it. This isn't new for ShinyHunters. They've hit companies like Microsoft and AT&T before. But targeting universities feels different. It's like kicking a puppy. These institutions often have limited budgets for cybersecurity, making them easy prey. ### Why Universities Are Vulnerable Universities are a unique target. They're open by nature, with thousands of users accessing systems daily. You've got students, faculty, and staff, all using different devices. It's a security nightmare. > "Universities are like a buffet for hackers," says one security expert I spoke with. "They have valuable data but not the defenses of a bank." Most schools run on tight budgets. They spend money on buildings and research, not on the latest firewalls. This makes them prime targets for groups like ShinyHunters. ### What You Can Do If you're running a university IT department, or even a business using Oracle PeopleSoft, you need to act fast. Here's a checklist: - **Patch Immediately:** Oracle released a fix on June 10. If you haven't applied it, you're still at risk. - **Monitor Logs:** Look for unusual activity between May 27 and now. Any strange logins or data transfers? - **Train Staff:** Phishing is often the entry point. Make sure everyone knows how to spot a scam. - **Backup Data:** Keep offline backups. If you get hit, you can restore without paying. Don't wait for a breach to happen. The cost of prevention is always less than the cost of cleanup. ### The Bigger Picture This attack is a wake-up call. Zero-days are becoming more common, and criminals are getting smarter. ShinyHunters isn't a lone wolf; they're part of a growing trend. As technology advances, so do the threats. For the average person, this might feel distant. But if you're a student or faculty member, your data could be on the line. Check with your school's IT department. Ask if they've patched PeopleSoft. It's a simple question that could save you a lot of trouble. In the end, security is everyone's job. Don't leave it to the experts alone. Stay informed, stay cautious, and always update your software. ### Final Thoughts ShinyHunters exploited a zero-day to breach universities, but the real story is about preparedness. We can't stop every attack, but we can make it harder. Patch your systems, educate your people, and plan for the worst. That's the only way to stay ahead in this game.