Back to Insights
Breaches5 min read29 June 2026

ShinyHunters Breached NAIC via Oracle PeopleSoft Zero-Day — But the Regulator Says the Haul Was Mostly Junk

The National Association of Insurance Commissioners confirms attackers exploited an unpatched vulnerability in an internet-facing PeopleSoft server, while disputing the extortion crew's characterization of what was actually stolen.

MH
Marcus HaleHead of Security Research
A photoreal wide-angle shot of a dimly lit enterprise server room at night, rows of glowing rack-mounted servers casting

What Happened

The National Association of Insurance Commissioners (NAIC) confirmed that the extortion group ShinyHunters gained access to its systems by exploiting a zero-day vulnerability in an internet-facing Oracle PeopleSoft server — but the organization insists the stolen material amounts to publicly available records, outdated log files, and configuration artifacts, not the sensitive regulatory data the threat actors have implied.

The NAIC functions as the coordinating body for all U.S. state insurance regulators. That institutional role places it, at least theoretically, upstream of a significant volume of financial supervisory data. ShinyHunters appears to have understood that positioning, using the organization's perceived sensitivity as leverage in its leak-site posturing. The actual data, if NAIC's account holds, tells a far less dramatic story.

What NAIC Says Was — and Wasn't — Taken

NAIC's internal investigation found that the attackers reached systems containing log data, configuration files, and material already accessible through the association's public regulatory portals. No production policyholder records. No supervisory examination files. That is the organization's stated position as of its most recent public communications.

The distinction matters. Regulators and insurers who feared that non-public examination findings or consumer data were exposed can, for now, take some comfort in that characterization. But "for now" is doing meaningful work in that sentence. NAIC has not specified the precise timeframe of the intrusion window, and until Oracle assigns a CVE number to the exploited flaw, independent verification of the attack chain remains impossible. Treat the "zero-day" label as the victim's own characterization — not a confirmed vendor designation — until Oracle speaks to it directly.

The association has notified law enforcement and retained outside incident response counsel. It has not disclosed whether it received a direct extortion demand, nor how it intends to respond if one arrives.

The PeopleSoft Attack Surface Problem

Oracle PeopleSoft is a sprawling enterprise resource planning platform that many large organizations — government agencies, financial regulators, universities, healthcare systems — have run on-premises or in infrastructure-as-a-service environments for years. That deployment longevity is itself a risk factor.

Oracle ships quarterly Critical Patch Updates (CPUs) addressing PeopleSoft vulnerabilities. Across 2024 and into 2025, those updates have patched a consistent stream of deserialization flaws, authentication bypasses, and integration-layer exposures. The platform's Integration Broker, PeopleSoft Internet Architecture (PIA) layer, and underlying WebLogic application server each represent distinct attack surfaces that defenders must patch and audit separately. Applying a CPU to the application tier but missing the WebLogic layer underneath is a common gap.

For organizations running internet-facing PeopleSoft instances, the immediate to-do list is specific: inventory every externally reachable endpoint, audit custom servlets and Integration Broker configurations, pull egress logs to identify unusual outbound data movement, and confirm that Oracle's latest CPU has fully landed on every component in the stack — not just the application itself.

"Patch Tuesday cadence is necessary but not sufficient for complex ERP platforms," said one enterprise security architect familiar with PeopleSoft deployments, speaking generally about the platform's security posture. "Organizations treat a CPU as a checkbox. But custom configurations and legacy servlets can survive a patch cycle completely untouched."

ShinyHunters: A Brand More Than a Fixed Crew

ShinyHunters emerged prominently during the 2024 Snowflake customer extortion wave, where attackers harvested credentials from environments that lacked multi-factor authentication and used them to exfiltrate data at scale from dozens of Snowflake tenants. The group has since expanded its targeting focus from SaaS environments toward enterprise ERP platforms.

The playbook rhymes across incidents: identify an internet-exposed enterprise application, extract data at volume, post a sample on a leak forum, demand payment, and escalate the leak cadence if the victim goes quiet. Whether the same core operators execute every campaign flying the ShinyHunters name is a genuinely open question. Security researchers increasingly treat "ShinyHunters" as a brand — shared infrastructure and tooling, but inconsistent tradecraft that suggests multiple operators or affiliates claiming the label. Attribution at the individual operator level remains low-confidence.

What is consistent is the targeting logic. High-profile organizations with perceived data sensitivity make compelling extortion targets regardless of what the actual data contains. The reputational threat alone creates pressure to pay.

According to the Verizon 2024 Data Breach Investigations Report, system intrusion — the pattern that encompasses exploitation of application vulnerabilities followed by data exfiltration — accounted for 36% of all breaches analyzed. ERP platforms running internet-facing components represent exactly the kind of high-value, high-complexity target that drives that figure.

Which Controls Failed Here

The zero-day label, if accurate, shifts some blame away from patch management. You cannot patch a vulnerability the vendor has not yet disclosed. But the deeper control failure is architectural: an internet-facing ERP system belonging to a regulatory body with no described compensating controls between the public internet and systems holding any sensitive data.

Segmentation and egress monitoring should have limited what an attacker could reach after initial access. If the stolen material is genuinely restricted to logs and public-domain configuration artifacts, that outcome may reflect some degree of effective segmentation — or it may reflect the attacker's specific objectives rather than effective defense. Defenders cannot count on attackers having narrow goals.

Organizations running awareness training programs often focus heavily on phishing — and rightly so, given that phishing remains the leading initial access vector. But the NAIC incident is a reminder that technical exploitation of exposed infrastructure bypasses the human layer entirely. Employees could be perfectly trained and this breach still happens. That makes security awareness training most effective when it includes technical staff responsible for ERP hygiene, patch validation workflows, and internet exposure audits — not just end users watching phishing simulations.

The identity hygiene question also deserves attention. PeopleSoft environments that have grown organically over years accumulate service accounts, integration credentials, and API tokens that rarely get rotated. If an attacker moves laterally using a harvested service account, the breach scope expands dramatically. Reviewing privileged account inventories and enforcing MFA on every administrative interface — including PIA administrative consoles — should be a standing practice, not a post-incident reaction.

What Defenders Should Do Now

If your organization runs Oracle PeopleSoft in any configuration:

  • Confirm that Oracle's most recent CPU has been fully applied across the application tier, the WebLogic server, and any integration middleware.
  • Run an egress log review covering at least the past 90 days, focusing on unusual outbound connections from PIA or Integration Broker components.
  • Audit every internet-facing PeopleSoft endpoint. Ask whether each one genuinely needs to be publicly routable, or whether VPN or IP-allowlist controls are feasible.
  • Rotate service account credentials and API keys on any integration connected to a public-facing component.
  • Confirm MFA is enforced on every administrative console, not just end-user login flows.

NAIC's investigation is ongoing. Oracle has not issued a public statement tying a CVE to the exploited vulnerability. ShinyHunters' next move will likely depend on how NAIC responds — or declines to respond — to whatever demand, if any, has been made. Expect the group to release additional data samples if it perceives silence as non-compliance.

The broader lesson for the insurance regulatory community is one of attack surface discipline. High institutional visibility makes an organization a target. Internet-exposed ERP infrastructure turns that visibility into an open door.

How this breach pattern could have been reduced

  • Enforce network segmentation so that a compromised internet-facing application cannot reach production data systems without additional authentication barriers.
  • Build patch validation workflows that explicitly confirm updates land on every component in a stack — application, middleware, and underlying server — not just the top layer.
  • Train technical and IT staff on ERP-specific attack surfaces and the organizational consequences of misconfigured or unmonitored internet-facing enterprise applications.

Train2Secure's security awareness programs cover technical staff and end users alike, helping teams recognize the human and process gaps that compound technical vulnerabilities.

Start free — no card required

Frequently asked questions

What data did ShinyHunters steal from the NAIC?

The NAIC says the attackers accessed publicly available records, outdated log files, and configuration artifacts. The organization states that no production policyholder data and no supervisory examination files were compromised, though its investigation is ongoing.

How did attackers get into the NAIC's systems?

The NAIC says the attackers exploited a zero-day vulnerability in an internet-facing Oracle PeopleSoft server. No CVE number has been publicly assigned to the flaw by Oracle, so independent verification of the specific vulnerability remains pending.

Is Oracle PeopleSoft commonly targeted by ransomware and extortion groups?

Increasingly yes. PeopleSoft installations often have internet-facing components, long patch cycles, and accumulated legacy configurations — all of which create exploitable attack surface. Oracle ships quarterly Critical Patch Updates, but complex ERP deployments frequently have gaps between what is patched and what is actually protected.

What should organizations running PeopleSoft do right now?

Apply Oracle's latest Critical Patch Update across all tiers including WebLogic, audit internet-facing endpoints, review egress logs for suspicious outbound activity, rotate service account credentials, and enforce multi-factor authentication on every administrative interface.

Ready to Reduce Your Human Cyber Risk?

Sign up and start training your team in minutes. No sales calls, no demos — just pick a plan and go. Phishing simulations, video courses, and certificates from day one.

train2secure analytics dashboard showing training completion stats and user progress