Nissan Americas has confirmed a data breach after cybercriminals exploited a critical zero-day vulnerability in Oracle PeopleSoft software. The attack is believed to be part of a larger campaign linked to the ShinyHunters cybercrime group, which has targeted more than 100 organizations worldwide.
According to the company, the breach affected current and former employees across the United States, Canada, Mexico, and Brazil. Nissan has started notifying affected individuals and is offering free credit monitoring and dark web monitoring services where available.
The attack exploited a critical vulnerability, tracked as CVE-2026-35273, in Oracle PeopleSoft PeopleTools versions 8.61 and 8.62. The flaw has a CVSS severity score of 9.8 and allows attackers to execute code remotely without requiring authentication or user interaction. Oracle released an emergency security patch on June 10, 2026, and the vulnerability was quickly added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
Security researchers from Mandiant and Google’s Threat Intelligence Group attributed the attacks to the cybercrime group known as UNC6240, also known as ShinyHunters or Bling Libra.
Researchers say the group began exploiting the vulnerability as early as May 27, more than two weeks before Oracle publicly disclosed the flaw. During that time, attackers reportedly compromised over 300 Oracle PeopleSoft servers across more than 100 organizations using automated attack tools.
Nissan said the breach occurred between May 27 and June 9, 2026. The company believes attackers may have accessed sensitive employee information, including:
- Contact information
- Banking details
- Social Security Numbers (SSN), Social Insurance Numbers (SIN), and National Identification Numbers
- Financial and tax information
- Dependent and beneficiary details
The company has not disclosed how many employees were affected.
Nissan said it activated its incident response process immediately after learning about the attack. The company also hired external cybersecurity experts to investigate the incident and is working with law enforcement agencies.
As an additional security measure, Nissan temporarily restricted access to its payroll system. Employees can now access payroll services only through corporate computers or secure VPN connections. The company has also added extra identity verification before processing payroll-related requests.
According to Mandiant, the attackers installed remote management software called MeshCentral on compromised servers while disguising it as legitimate Microsoft Azure services.
After gaining access, the attackers explored PeopleSoft configurations, moved across internal systems, and compressed stolen data before exfiltrating it. They also left behind a ransom note named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT on compromised systems.
Security experts are urging organizations using Oracle PeopleSoft PeopleTools 8.61 or 8.62 to apply Oracle’s security patch immediately.
Experts also recommend restricting access to PeopleSoft management services, blocking external access to vulnerable endpoints, monitoring for suspicious outbound traffic, checking systems for signs of compromise, and rotating credentials that may have been exposed.
Researchers also warn that patching alone may not be enough because attackers started exploiting the vulnerability weeks before Oracle released its security update.
