ShinyHunters Gang: How a Single Cybercriminal Group Breached Oracle, Instructure, and the FBI in 2026

In the first half of 2026, one cybercriminal group has been responsible for a staggering number of high-profile breaches: ShinyHunters. From education tech giants to government surveillance systems, this extortion gang has proven that no organization is too big or too secure.

If your organization uses Oracle PeopleSoft, Salesforce, Microsoft 365, or any SaaS platform, you need to understand how ShinyHunters operates — and what you can do to stop them.

Who Are ShinyHunters?

ShinyHunters is a cybercriminal group specializing in data theft and extortion. They do not just steal data — they publish it on dark web leak sites (DLS) to pressure victims into paying ransoms. Their primary targets are SaaS platforms, CRM systems, and educational institutions.

The group gained notoriety in 2020 and has since evolved into one of the most prolific extortion operations in the world. In 2026, they have escalated dramatically.

The Oracle PeopleSoft Zero-Day: CVE-2026-35273

On June 10, 2026, Oracle disclosed a critical vulnerability in PeopleSoft's Environment Management component. The flaw, tracked as **CVE-2026-35273**, carries a CVSS score of **9.8 out of 10** — the highest severity possible.

How the Attack Worked

Between May 27 and June 9, 2026, ShinyHunters exploited this zero-day to:

1. **Gain unauthenticated remote code execution** on internet-facing PeopleSoft systems

2. **Deploy a customized MeshCentral RMM** (Remote Monitoring and Management) tool disguised as legitimate Microsoft Azure services

3. **Establish persistent access** to compromised systems

4. **Exfiltrate data** including billing records, payment details, student finance data, and campus portal exports

Who Was Hit

Google Cloud's threat intelligence team (GTIG) identified and notified over 100 organizations. **68% of identified targets were higher education institutions.** While some organizations blocked the attack, others experienced full compromise, with stolen data published on the ShinyHunters DLS.

The Data Exposed

The leaked data included:

**What to do now:**

The Instructure Canvas Breach: 30 Million Students

The Instructure breach is now considered the largest education-sector breach on record. ShinyHunters targeted Canvas, the learning management system used by 41% of higher education institutions in North America.

Timeline of Events

|------|-------|

The Second Hack

What makes this breach particularly alarming is that Instructure was breached twice within two weeks. After the first breach, the company claimed the issue was resolved. ShinyHunters broke in again on May 7, this time defacing Canvas login screens during school finals — disrupting exams for students across the United States.

The Ransom Payment

Despite FBI efforts to dissuade Instructure from paying, the company ultimately paid the ransom. They received "shred logs" confirming data destruction. This decision has been controversial, as ransom payments often embolden attackers.

The FBI Surveillance System Breach

In April 2026, the FBI was forced to declare a "major cyber incident" after one of its surveillance systems was compromised. The breach potentially exposed phone numbers of targets under surveillance by federal agents.

Why This Matters

The FBI breach is significant not just for the data exposed, but for what it represents: even the most security-conscious organizations are vulnerable. If the FBI can be breached, no organization should assume it is immune.

The 7-Eleven and Carnival Breaches

The ShinyHunters campaign has also hit major consumer brands:

These breaches demonstrate that ShinyHunters does not discriminate by industry. If your organization has valuable data, you are a target.

The Pattern: Social Engineering and Extortion

Across all these breaches, a clear pattern emerges:

1. Social Engineering as the Entry Point

ShinyHunters does not always rely on technical exploits. The Carnival breach started with a single employee being socially engineered. The French Tchap messenger breach started with a compromised user account obtained through social engineering.

**The lesson:** Your employees are your weakest link.

2. Double Extortion

The group steals data and threatens to publish it unless a ransom is paid. This creates two problems:

3. Rapid Re-Compromise

After Instructure claimed the first breach was resolved, ShinyHunters broke in again within 24 hours. This shows that paying a ransom does not guarantee the attacker is gone.

4. Dark Web Leak Sites

The group maintains a dedicated DLS where they publish stolen data. This creates public pressure on victims to pay.

How ShinyHunters Targets SaaS Platforms

The group specifically targets SaaS and CRM platforms because:

1. **Centralized data** — One breach exposes thousands of customers

2. **Trust relationships** — Compromised SaaS platforms can be used to attack downstream customers

3. **Low barrier to entry** — Many SaaS platforms have weak access controls

4. **High ransom potential** — Organizations will pay to avoid reputational damage

How to Protect Your Organization

For IT Teams

1. **Patch PeopleSoft immediately** — CVE-2026-35273 is actively being exploited

2. **Enable MFA everywhere** — Especially on admin accounts and SaaS platforms

3. **Monitor for unauthorized RMM tools** — MeshCentral, AnyDesk, TeamViewer

4. **Implement zero-trust architecture** — Never trust, always verify

5. **Deploy EDR solutions** — Endpoint Detection and Response tools can catch behavioral anomalies

For Security Teams

1. **Conduct regular penetration testing** — Identify vulnerabilities before attackers do

2. **Monitor dark web leak sites** — Know if your data has been compromised

3. **Implement data loss prevention** — Prevent unauthorized data exfiltration

4. **Create an incident response plan** — Know exactly what to do when a breach occurs

For Employees

1. **Verify requests** — Never share credentials based on email or phone requests

2. **Report suspicious activity** — If something looks wrong, report it immediately

3. **Use strong, unique passwords** — And enable MFA on every account

4. **Be wary of urgency** — Social engineering relies on creating panic

For Everyone

1. **Monitor your accounts** — Watch for unauthorized access to your personal data

2. **Use Have I Been Pwned** — Check if your email has been compromised

3. **Freeze your credit** — Prevent identity theft from exposed personal data

4. **Stay informed** — Follow cybersecurity news to know when breaches affect you

The Bigger Picture: Why 2026 Is Different

The ShinyHunters campaign is part of a broader trend in 2026 cybercrime:

Scan Your Domain for Vulnerabilities

While ShinyHunters targets SaaS platforms, your production infrastructure is equally vulnerable. Use Vaarta to scan your domain for:

[Scan your domain now — free](https://vaarta.space)

Conclusion

ShinyHunters is not just another cybercriminal group — they are a sophisticated operation that has breached some of the most prominent organizations in the world in 2026. From Oracle PeopleSoft zero-days to FBI surveillance systems, no organization is beyond their reach.

The best defense is proactive security: patch your systems, train your employees, monitor your infrastructure, and scan your domains regularly. The cost of prevention is always less than the cost of recovery.

Frequently Asked Questions

What is CVE-2026-35273?

CVE-2026-35273 is a critical vulnerability in Oracle PeopleSoft's Environment Management component with a CVSS score of 9.8. It allows unauthenticated remote code execution on internet-facing systems and has been actively exploited by ShinyHunters.

How do I know if my organization uses PeopleSoft?

PeopleSoft is an enterprise resource planning (ERP) system used primarily by universities, government agencies, and large corporations. Check with your IT department or look for URLs containing "ps" or "peoplesoft" in your organization's web infrastructure.

Should I pay a ransom if my data is breached?

Law enforcement generally advises against paying ransoms. Payment does not guarantee data destruction, and it emboldens attackers. However, every situation is unique — consult with cybersecurity experts and legal counsel before making a decision.

How can I check if my personal data has been compromised?

Use Have I Been Pwned (haveibeenpwned.com) to check if your email address has appeared in known data breaches. Monitor your financial accounts for unauthorized activity and consider freezing your credit if sensitive personal information was exposed.