A previously unknown exploit in PeopleSoft software has compromised hundreds of organizations, with Mandiant reporting that attackers successfully stole and published data on the ShinyHunters data leak site. The breach affects enterprise systems widely used for human resources and financial management across major corporations.

Forensic analysis reveals the attackers deployed a bash script to conduct reconnaissance, mapping PeopleSoft configurations and examining WebLogic server settings before establishing SSH connections to external servers. They compressed stolen data using zstd compression before exfiltration, with one victim losing approximately 48GB of sensitive information to the leak site.

ShinyHunters has operated since 2019, targeting major enterprises through various methods including cloud misconfigurations, software vulnerabilities, and social engineering attacks. Recent high-profile victims include Ticketmaster, Santander, and Salesforce (affecting Google and other downstream companies through supply chain compromises).

Both Mandiant and Rapid7 have published indicators of compromise and emergency guidance for PeopleSoft customers. Organizations running the software should immediately audit their configurations, review access logs, and apply security patches. The incident demonstrates how single vulnerabilities in widely-deployed enterprise software can cascade into massive data breaches affecting millions.