Oracle warns of critical PeopleSoft bug exploited in 100+ breaches
Original: Oracle warns of security bug that hackers abused to breach 100+ companies
Why This Matters
Critical zero-day affecting major HR systems highlights supply chain security risks
Oracle issued security advisory for critical PeopleSoft vulnerability after ShinyHunters hacking group claimed breaching over 100 organizations. The zero-day flaw requires no authentication and targets payroll/HR systems, with two-thirds of victims being higher education institutions.
Oracle published a security advisory Thursday warning of a critical vulnerability in its PeopleSoft software used for payroll and human resources management. The warning came after cybercrime group ShinyHunters claimed responsibility for breaching more than 100 organizations using the flaw. Google-owned Mandiant confirmed this is the same zero-day bug being exploited in the mass-hacking campaign. The vulnerability can be exploited over the internet without authentication. Oracle has not released a patch but recommended mitigation measures. Mandiant notified over 100 global organizations, mostly in the US, with about two-thirds in higher education. Some organizations successfully blocked attacks while others experienced data theft, with stolen information published on ShinyHunters' leak website. The hackers claimed to have stolen hundreds of thousands of student records including names, addresses, GPAs, and enrollment data.