NAIC Says ShinyHunters Walked Out With Public Data and Stale Logs After PeopleSoft Zero-Day Hit

The National Association of Insurance Commissioners says the data exfiltrated during a recent intrusion by the extortion crew tracked as ShinyHunters consisted of publicly available records, outdated logs, and configuration files — not the sensitive regulator-grade material the group has claimed.

The intrusion vector, per NAIC: a zero-day in an internet-facing Oracle PeopleSoft server.

NAIC is the coordinating body for U.S. state insurance regulators. A compromise there would, in theory, sit upstream of a lot of sensitive financial supervisory data. That's the leverage ShinyHunters appears to be banking on with its leak-site posturing.

The association tells a narrower story. Its investigation, it says, found the actor reached systems holding logs and config artifacts plus material already public via NAIC's regulatory portals. No production policyholder data. No supervisory examination files. That's the line.

The PeopleSoft angle is the more interesting technical thread. NAIC has not publicly attached a CVE to the bug it says was exploited as a zero-day. Oracle's quarterly Critical Patch Update cycle has shipped multiple PeopleSoft fixes across 2024 and 2025, and the platform has a long tail of deserialization and authentication-bypass issues. Without a CVE assignment from the vendor, attribution of the exploit chain stays at medium confidence at best. Readers should treat "zero-day" here as the victim's characterization until Oracle confirms.

ShinyHunters itself is a moving target as a label. The cluster — variously tracked alongside or overlapping with the actors behind the 2024 Snowflake customer extortion wave — has shifted from straight data theft and forum sales toward named-and-shamed extortion against enterprise SaaS and ERP tenants. Recent campaigns attributed to the group or its affiliates have hit Salesforce-connected environments and, now, PeopleSoft. The TTPs rhyme: identify an internet-exposed enterprise app, harvest data at scale, post a sample, demand payment.

Whether the same operators run every campaign flying the ShinyHunters flag is unclear. Some researchers treat it as a brand more than a fixed crew, with overlapping infrastructure and tooling between intrusions but inconsistent operator tradecraft. Capability and intent are not the same thing, and the "ShinyHunters" name has been claimed in cases where the underlying access broker is almost certainly someone else.

For defenders running PeopleSoft on-prem or in IaaS, the practical takeaway is unchanged regardless of how the NAIC case resolves. Inventory internet-facing PeopleSoft instances. Audit the Integration Broker, PIA, and any custom servlets. Pull egress logs for the window NAIC has not yet narrowed publicly. Apply Oracle's latest CPU and confirm the patch actually landed on the WebLogic tier underneath.

NAIC says it has notified law enforcement and engaged outside incident response. It has not said whether it received an extortion demand, nor whether it intends to respond to one. Expect ShinyHunters to escalate the leak cadence if the answer is no.