Oracle PeopleSoft servers targeted in data theft attacks linked to ShinyHunters

ShinyHunters, one of the most prolific data extortion gangs operating today, has been exploiting Oracle PeopleSoft servers to steal massive troves of sensitive information.

The most significant known incident tied to this campaign hit Wynn Resorts in September 2025. ShinyHunters reportedly gained initial access by exploiting a vulnerability within Wynn’s PeopleSoft system using employee credentials, ultimately exposing the personal identifiable information of over 800,000 employees. That includes names, Social Security numbers, and the kind of data that makes identity theft trivially easy.

How the attacks work, and what ShinyHunters wants

PeopleSoft is Oracle’s enterprise resource planning software, used by large organizations to manage everything from payroll to student records.

In the Wynn Resorts breach, the group leveraged compromised employee credentials to navigate the PeopleSoft environment. Once inside, they exfiltrated a massive dataset and then demanded payment to not leak the stolen information. The ransom request came to 22.34 BTC, roughly equivalent to $1.5 million at the time.

In June 2026, ShinyHunters was tied to a breach at the University of Nottingham, where the target was the Oracle Campus Solutions platform, a PeopleSoft-adjacent system used to manage student records.

ShinyHunters’ broader operation is staggering in scale. The group has claimed responsibility for stealing over 1.5 billion records from more than 1,000 organizations between 2025 and 2026. A significant chunk of that haul came from exploiting Salesforce misconfigurations, but the PeopleSoft attacks represent an expansion into enterprise resource planning systems.

Bitcoin’s persistent role in ransomware economics

ShinyHunters’ ransom demands consistently reference Bitcoin. Not Monero, not any privacy coin, not stablecoins. Bitcoin.

Bitcoin is pseudonymous, not anonymous. Every transaction is recorded on a public ledger, which means law enforcement agencies with sufficient resources can, and do, trace ransom payments.

The $1.5 million BTC demand in the Wynn case is relatively modest by modern ransomware standards. ShinyHunters isn’t encrypting systems and holding operations hostage — they’re stealing data and threatening to publish it. The leverage is reputational damage and regulatory liability, not operational paralysis.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.