One Oracle Zero-Day Just Hit 100+ Orgs — NAIC Is Only the Start

According to the organization, the attackers accessed and in some cases stole data that was already public: statutory financial reports, credit rating agency data, outdated logs, and configuration information. Its investigation, NAIC says, found no evidence that personally identifiable information or financial data was exposed.

Then it went further and directly disputed ShinyHunters. The hackers had claimed they compromised NAIC's crown-jewel regulatory platforms — SERFF for rate and form filings, OPTins for insurance premium tax, and SBS, the State-Based Systems. NAIC says that did not happen.

If you operate Oracle PeopleSoft, treat this as an active threat, not a news story about someone else. Patch now, hunt your logs for access around mid-June, and assume any exposed configuration files are already in criminal hands.

The detail nobody is talking about: the hackers used AI to lie

Here is the part that should make every security team uneasy.

ShinyHunters updated its leak post on June 25 to claim 3.1 TB of data across 105,000 files. But buried in that update was an admission: an earlier summary of the stolen data had been exaggerated because the group used AI to evaluate the files — and the AI hallucinated.

Read that again. The attackers ran your stolen data through a language model to inventory it, and the model invented contents that were not there. They say a human has since reviewed the latest list and it should be considered accurate.

So now extortion victims face a new problem. When a gang says it stole your most sensitive systems, is that real — or is it an AI-inflated claim designed to pressure you into paying? NAIC, by publicly disputing the SERFF and OPTins claims, is essentially calling that bluff. Most victims do not have the nerve, or the forensic confidence, to do the same.

How ShinyHunters actually got in

The mechanics here matter, because they are repeatable.

The crew exploited a zero-day vulnerability — tracked as CVE-2026-35273 — in Oracle PeopleSoft, the enterprise software that thousands of large organizations use to run HR, payroll, finance, and student or member records. A zero-day means the flaw was being exploited in the wild before a patch existed, so even a well-run, fully-updated PeopleSoft deployment had no defense at the moment of attack.

PeopleSoft is a juicy target for a simple reason: it sits at the center of an organization and touches identity, money, and records all at once. Compromise the server and you are often one step from everything that matters.

This is also not ShinyHunters' first rodeo. The group has spent years as one of the most prolific data-extortion brands on the scene, recycling the same playbook — breach, exfiltrate, leak, demand — across victim after victim. A single reusable zero-day is exactly the kind of skeleton key that turns one crew into a hundred-victim crisis.

Why NAIC is the tip of the iceberg

This is the headline most coverage is missing. NAIC is not the story. The zero-day is.

By the threat actor's own account, this PeopleSoft flaw has allegedly been used against more than 100 organizations. Nissan has already disclosed an employee data breach tied to the same wave of Oracle zero-day attacks. When one vulnerability becomes a mass-exploitation campaign, the victim list is not a list of unlucky companies — it is every organization running the affected software that has not yet checked its logs.

That is the second-order risk. The named victims are the ones that detected it. The dangerous category is the silent one: organizations that were breached through the same door and still do not know.

The operational damage was real, even without PII

It is tempting to shrug at a breach of public reports and old logs. Do not.

The intrusion still had teeth. Credit rating agencies temporarily suspended their data feeds to NAIC, and the organization paused its investment designation work while it responded. In other words, a breach that allegedly stole nothing sensitive still froze parts of how the U.S. insurance market gets rated and regulated. Disruption does not require stolen secrets — it just requires uncertainty.

What to do in the next 24 to 72 hours

If your organization runs Oracle PeopleSoft, this is your action window. Treat it as live.

• Patch immediately. NAIC says affected systems are now remediated and Oracle has moved on the exploited flaw. Apply the latest PeopleSoft updates without waiting for a maintenance cycle.
• Hunt your logs. Review PeopleSoft authentication and access logs for unfamiliar logins, especially in the weeks before and around mid-June. Mass-exploitation campaigns often quietly predate the public disclosure.
• Get PeopleSoft off the open internet. Restrict the application and its admin interfaces behind a VPN or access gateway. Internet-facing enterprise servers are exactly what these campaigns scan for.
• Rotate everything in those config files. NAIC confirmed configuration information was among the data taken. Configs routinely contain connection strings, service-account credentials, and API keys. Assume any secret stored there is now burned and rotate it.
• Pre-decide your extortion stance. Given that gangs are now inflating claims with AI, decide in advance how you will verify a ransom demand. The ability to publicly and confidently dispute a false claim, as NAIC did, is a security capability worth building before you need it.

The real lesson behind the breach

Strip away the insurance angle and what is left is a blueprint for the rest of the year. A single enterprise zero-day, a prolific extortion brand, more than a hundred victims, and attackers now using AI to package — and exaggerate — what they steal.

NAIC got off comparatively lightly and had the confidence to say so. The harder question is for everyone else running the same software: have you actually looked, or are you just assuming the door that breached a hundred organizations somehow skipped yours?

Source: BleepingComputer