TL;DR: More than 300 PeopleSoft instances were compromised by June 10, 2026 as ShinyHunter exploited the platform, underscoring how application-layer access weaknesses can turn into broad identity exposure in higher education environments, according to Pathlock. Persistent access controls, entitlement review, and application governance now matter as much as perimeter defence.
NHIMG editorial — based on content published by Pathlock: ShinyHunter is exploiting PeopleSoft, 300+ instances compromised as of June 10, 2026
By the numbers:
- ShinyHunter is exploiting PeopleSoft, 300+ instances compromised as of June 10, 2026
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: What breaks when PeopleSoft access is not tightly governed?
A: When PeopleSoft access is not tightly governed, attackers can abuse valid accounts, integration users, or administrative roles to move from one compromised instance into broader application exposure.
Q: Why do ERP environments increase identity risk for security teams?
A: ERP environments increase identity risk because they concentrate sensitive workflows, privileged access, and delegated administration in one place.
Q: How do you know if application access reviews are actually working?
A: Access reviews are working only when they result in measurable removal of stale accounts, roles, and integrations.
Practitioner guidance
- Map all PeopleSoft identities to business ownership Build an authoritative inventory of human, service, and integration accounts tied to each PeopleSoft instance, then require a named business owner for every privileged entitlement and delegated admin role.
- Enforce lifecycle revocation for stale application access Set explicit expiry and revocation triggers for accounts, roles, and integrations when staff change function, vendors change scope, or instances are decommissioned.
- Prioritise high-risk entitlement review over broad recertification Focus certification cycles on administrative roles, integration users, and cross-instance accounts first, because those are the access paths most likely to turn a compromise into broad exposure.
What's in the full analysis
Pathlock's full event page covers the conference context and team presence this post intentionally leaves out.
- Conference logistics for EDUCAUSE attendees planning meetings with Pathlock staff
- The specific roles of the Pathlock team members listed for the event
- Additional event context for higher education technology professionals who want to connect in Denver
👉 Read Pathlock's event page for EDUCAUSE conference details and team presence →
PeopleSoft exploitation in higher education: what IAM teams should watch?
Explore further
PeopleSoft exploitation is really an identity governance failure disguised as an application incident. Once a business platform becomes a repeated entry point, the programme has lost control of who can still act, not just who should. Higher education teams should read this as a sign that application ownership, entitlement review, and revocation discipline are still too fragmented to contain lateral access.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which leaves stale access in place far longer than most teams expect.
A question worth separating out:
Q: Who is accountable when a shared application identity is abused?
A: Accountability should sit with the business owner of the entitlement, the application owner who granted it, and the IAM or governance team that certified it. Shared application identities fail when everyone assumes someone else will revoke them, so clear ownership and removal responsibility are essential.
👉 Read our full editorial: PeopleSoft compromise exposes persistent application access risk in higher ed