PeopleSoft exploitation in higher education: what IAM teams should watch

TL;DR: More than 300 PeopleSoft instances were compromised by June 10, 2026 as ShinyHunter exploited the platform, underscoring how application-layer access weaknesses can turn into broad identity exposure in higher education environments, according to Pathlock. Persistent access controls, entitlement review, and application governance now matter as much as perimeter defence.

NHIMG editorial — based on content published by Pathlock: ShinyHunter is exploiting PeopleSoft, 300+ instances compromised as of June 10, 2026

By the numbers:

• ShinyHunter is exploiting PeopleSoft, 300+ instances compromised as of June 10, 2026
• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: What breaks when PeopleSoft access is not tightly governed?

A: When PeopleSoft access is not tightly governed, attackers can abuse valid accounts, integration users, or administrative roles to move from one compromised instance into broader application exposure.

Q: Why do ERP environments increase identity risk for security teams?

A: ERP environments increase identity risk because they concentrate sensitive workflows, privileged access, and delegated administration in one place.

Q: How do you know if application access reviews are actually working?

A: Access reviews are working only when they result in measurable removal of stale accounts, roles, and integrations.

Practitioner guidance

• Map all PeopleSoft identities to business ownership Build an authoritative inventory of human, service, and integration accounts tied to each PeopleSoft instance, then require a named business owner for every privileged entitlement and delegated admin role.
• Enforce lifecycle revocation for stale application access Set explicit expiry and revocation triggers for accounts, roles, and integrations when staff change function, vendors change scope, or instances are decommissioned.
• Prioritise high-risk entitlement review over broad recertification Focus certification cycles on administrative roles, integration users, and cross-instance accounts first, because those are the access paths most likely to turn a compromise into broad exposure.

What's in the full analysis

Pathlock's full event page covers the conference context and team presence this post intentionally leaves out.

• Conference logistics for EDUCAUSE attendees planning meetings with Pathlock staff
• The specific roles of the Pathlock team members listed for the event
• Additional event context for higher education technology professionals who want to connect in Denver

👉 Read Pathlock's event page for EDUCAUSE conference details and team presence →

PeopleSoft exploitation in higher education: what IAM teams should watch?

Explore further

View Full Forum →  |  NHI Foundation Course →