UK Cybercrime Journal: University of Nottingham Breached by ShinyHunters

What Happened

  • On 9 June 2026, the University of Nottingham was listed as a victim on the ShinyHunters Tor data leak site.
  • The attackers leaked over 40GB of billing and payment records, student finance data, and campus portal exports from the University of Nottingham and its Malaysia and China campuses.
  • The data stolen includes contact information, transaction amounts, IP addresses, full names, home addresses, postcodes, email addresses, phone numbers, dates of birth, and other internal campus data.
  • Further analysis of the leaked data by Have I Been Pwned revealed it also contained over 455,000 unique email addresses along with extensive personal information including ethnicities, disabilities, and passport numbers.
  • On 10 June 2026, security researcher @nahamike01 uncovered an exposed server belonging to ShinyHunters and found them targeting Oracle PeopleSoft servers using MeshCentral agents. Plus, analysis the bash_history logs on the server uncovered SSH connections to the IP address hosting the ShinyHunters Tor data leak site.
  • On 11 June 2026, Mandiant and Google Threat Intelligence Group (GTIG) disclosed they have observed active compromise and extortion campaign attributed to UNC6240 (ShinyHunters) targeting Oracle PeopleSoft application infrastructure via a zero-day now tracked as CVE-2026-35273, a critical remote code execution (RCE) vulnerability (CVSS 9.8).

Analyst Comment
ShinyHunters is a prolific feature of current threat landscape. This adversary appears to have a particular focus on the educational sector. Last month in May 2026, ShinyHunters targeted another provider of educational software: Instructure Canvas. A number of other UK universities were also impacted by the Instructure breach.

The education sector in the US and UK has suffered repeated, significant data breaches in recent years. In January 2025, BleepingComputer reported that PowerSchools, a cloud-based software provider, suffered a breach whereby the data of 62.4 million students and 9.5 million teachers was exfiltrated. Also in June 2026, the University of Oxford also disclosed a data breach impacting its CareerConnect platform. Separately, 13 schools in Powys county in Wales were impacted by a data breach in April 2026.

After the Oracle E-Business Suite zero-day campaign by CLOP in October 2025, this campaign by ShinyHunters against Oracle PeopleSoft is yet another blow for Oracle. Google identified over 100 exposed organisations, and noted that 68% are academic institutions, including universities and colleges worldwide. More are likely to have been victimised by ShinyHunters and listed on their Tor data leak site in the coming weeks.

Defensive Takeaways

  • Patch Oracle PeopleSoft: Internet-facing applications, such as file transfer servers or cloud-based software need to be prioritised for patches and updates. Checking the integrity of such systems while patching is also key to finding undetected compromises. Proactively ingesting event logs and threat hunting for suspicious activities involving these systems is also key to prevent breaches.
  • Prioritise Education Software Security: Education sector firms or cybersecurity companies with education sector clients must react to the elevated threat, by pen-testing, threat hunting, and threat intelligence sharing. Cybercriminal adversaries like ShinyHunters often exploit internet-facing applications or use stolen credentials for initial access. It is therefore critical to focus on these tactics, techniques, and procedures (TTPs) to prevent their attacks.
  • Follow the Data Breach Alert Playbook: Impacted victims must begin to rotate credentials, and start the laborious task of requesting new identity documents and codes like national insurance numbers or passports. It is also worth investing in some credit monitoring services as well to prevent loans being taken out in your name.

Relevant Sources

  1. https://x.com/politlcsuk/status/2064699766215164241
  2. https://www.dailymail.com/news/article-15889587/University-Nottingham-data-major-hack-cybercriminal.html
  3. https://www.bbc.co.uk/news/articles/ckg0lkp042zo
  4. https://www.bbc.co.uk/news/articles/cnv93j9pv78o
  5. https://www.theregister.com/cyber-crime/2026/06/11/shinyhunters-raids-nottingham-uni-for-student-alumni-data/5253961

Relevant CTI Resources

  1. https://www.ransomware.live/id/bm90dGluZ2hhbS5hYy51a0BzaGlueWh1bnRlcnM
  2. https://haveibeenpwned.com/Breach/UniversityOfNottingham
  3. https://x.com/nahamike01/status/2064559568018186745
  4. https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit 

Popular posts from this blog

Ransomware Tool Matrix Project Updates: May 2025

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

Lessons from the BlackBasta Ransomware Attack on Capita