| Threat Level: HIGH for Affected Organizations ShinyHunters has stolen HR, payroll, financial, and student records from over 100 organizations running Oracle PeopleSoft. The group threatens to publish the data unless ransoms are paid. |
What Happened
ShinyHunters, a criminal group with a documented record of large-scale data theft, is running an active campaign against organizations using Oracle PeopleSoft. PeopleSoft manages HR, payroll, finance, and student records across universities, hospitals, government agencies, and large businesses.
The attack is not technical in the way most people picture. The group steals structured records and then extorts the organization: pay, or the data gets published or sold. Over 100 organizations are confirmed victims. The data stolen is the kind that makes identity theft straightforward: employee names, Social Security numbers, compensation records, tax forms, student enrollment data, and medical billing information.
ShinyHunters has followed through on publication threats in past operations. The data is likely already in circulation.
Who This Affects
Employees, students, and patients of any organization running PeopleSoft are the most directly exposed. Universities, hospital systems, government agencies, and large employers are the primary targets. If your employer or school uses PeopleSoft for HR and payroll, your records were likely part of what was taken. You did not click anything, visit any site, or make any mistake. The exposure happened entirely at the organizational level.
For small business owners, the risk is indirect but real. Stolen employee records from these breaches feed targeted phishing campaigns. Attackers use real names, real employers, and real personal details to write convincing fraudulent emails. Anyone in the exposed dataset becomes a more credible phishing target for months or years after the breach.
What to Do
Freeze Your Credit at All Three Bureaus
A credit freeze stops anyone from opening new lines of credit in your name, even with your Social Security number and address in hand. It is free, takes minutes online, and does not affect your existing accounts. Lift it temporarily only when you need to apply for credit yourself.
Place the freeze at each bureau separately:
- Equifax: equifax.com/personal/credit-report-services
- Experian: experian.com/freeze/center.html
- TransUnion: transunion.com/credit-freeze
Check If Your Data Is Already Exposed
- HaveIBeenPwned.com: Free. Enter your email to see if it appears in any known breach dataset. Updated regularly by a trusted security researcher.
- Google One Dark Web Report: Free for any Google account. Scans for your email, phone, and name and sends alerts when something surfaces.
Protect Your Accounts Against Phishing
Phishing campaigns that follow large breaches are often more damaging than the breach itself. Attackers have enough real information to write convincing emails. The response is direct:
- Two-factor authentication (2FA): Turn it on for every account that offers it. Email, banking, payroll portals, benefits platforms. A stolen password alone does not get an attacker in.
- Bitwarden: Free. Open-source password manager. Unique passwords for every account mean one stolen credential does not expose everything else.
- 1Password: ~$36/year. A user-friendly alternative with strong family and small team options.
For Small Business Owners: Address Third-Party Risk
If your business shares data with larger organizations, review your vendor agreements for breach notification requirements. Cyber liability insurance has become a practical necessity:
- Coalition: Policies from ~$500-$1,000/year for small businesses. Includes breach response support.
- Cowbell Cyber: Similar pricing, with continuous monitoring built into the policy.
- Aura: ~$144/year for individuals and families. Combines identity monitoring, credit alerts, and dark web scanning.
| What to Do Right Now Freeze your credit at all three bureaus today. Turn on two-factor authentication on every account. Use a password manager so one stolen credential does not expose everything else. These steps cost little and close off most of what attackers do with stolen records. |