67% of the organizations Google flagged in an active extortion campaign run by ShinyHunters were higher-education institutions. That's not random spray-and-pray — it's a targeted attack on a sector that historically treats patch cycles like a suggestion.
The campaign ran from May 27 to June 9, 2026, before Oracle issued a security advisory on June 10. That's two weeks of active exploitation with no patch available. Two weeks where the attackers knew more about the vulnerability than the defenders.
How They Got In
ShinyHunters didn't just scan for vulnerable Oracle PeopleSoft instances. Google's Mandiant and Threat Intelligence Group watched them host customized MeshCentral agents disguised as legitimate cloud endpoints. From there, they ran administrative command queries — full control over the database layer without raising alarms. MeshCentral is a legitimate remote management tool, so the traffic blended in.
Google notified more than 100 organizations whose IP addresses correlated with potentially vulnerable endpoints. Most were in the U.S., and 68% were higher ed. The remaining 32% were likely finance, supply chain, and HR operations — the standard PeopleSoft customer base.
ShinyHunters' Playbook
This isn't new territory for ShinyHunters. Last month they struck a deal with Instructure, parent of the Canvas LMS, to secure stolen student and school data. That case involved extortion after a breach. This one is the same playbook: exploit a zero-day, deploy custom agents, exfiltrate data, demand payment.
What's different here is the speed of operational response from Google — they identified the pattern, attributed it, and started notifying targets while the attack was still live. That's not common in the private sector.
The Patch Gap Problem
Higher education runs on PeopleSoft because it handles HR, finance, and supply chain — not just student records. When a zero-day hits that stack, the blast radius includes financial data, payroll, and procurement systems. A campus PeopleSoft server isn't just grade books; it's the entire back office.
Oracle's advisory came on June 10, but the campaign had already ended. The next one might not wait for a patch to drop.
ShinyHunters proved again that targeting a slow-to-patch sector with a well-disguised exploit yields weeks of unchecked access. Until higher ed treats PeopleSoft like a crown jewel rather than legacy infrastructure, the next two-week window is just a matter of time.
Source: Google says ShinyHunters hackers targeting education sector via Oracle exploit
Domain: economictimes.indiatimes.com
Comments load interactively on the live page.