Emerging ThreatsData Breaches

Nissan Breach Exposes Employee Data After Oracle PeopleSoft Exploit

Analyst 207||Source: BleepingComputer
Brightly lit office setting with computer workstation and server room in background.

"Oracle has informed us that there was a cyber event and that the personnel records of hundreds of companies may have been obtained by so‑called threat actors. We have since learned that Nissan was specifically targeted in this attack," Nissan wrote in breach notifications filed with the California Attorney General's Office.

How the Oracle PeopleSoft CVE-2026-35273 figures into the breach

The incident at Nissan traces to a broader campaign that exploited a critical vulnerability in Oracle PeopleSoft PeopleTools, tracked as CVE-2026-35273. Oracle released emergency mitigations after the flaw was disclosed, but the company had not publicly confirmed exploitation at the time of Nissan's filing. Independent incident responders later tied active exploitation of CVE-2026-35273 to data‑theft operations between May 27 and June 9, according to Mandiant's reporting cited by the disclosure.

Nissan's reported exposure, response, and immediate controls

Nissan says it is in the early stages of an investigation and has not yet determined the full impact. The automaker believes attackers accessed employee personal information that may include employee contact information, banking information, Social Security numbers, Social Insurance Numbers, National Identification Numbers, financial and tax information, and dependent and beneficiary information. Nissan's breach notifications make clear the affected population likely includes current and former employees in the United States, Canada, Mexico, and Brazil.

After learning of the breach, Nissan said it activated its incident response, engaged external cybersecurity experts, secured affected systems, and is working with Oracle to address the issue. As an additional precaution, the company restricted access to employee pay slips and direct deposit changes to company network computers or secured VPN connections and is implementing additional identity verification measures before processing payroll requests. Nissan will offer free credit and dark‑web monitoring where available to individuals whose information is ultimately determined to have been exposed, and it said those employees will receive additional notifications detailing what data was impacted.

ShinyHunters' claims and the wider PeopleSoft campaign

The disclosure is linked to exploitation publicly reported earlier in June, when the extortion group ShinyHunters claimed responsibility for a campaign that it said breached over 300 PeopleSoft instances across 100 organizations. ShinyHunters told BleepingComputer it obtained data in those intrusions, and the gang has since begun publishing stolen datasets on its data leak site, including material tied to Nottingham University and the National Association of Insurance Commissioners (NAIC).

Mandiant’s confirmation that threat actors exploited CVE-2026-35273 as a zero‑day in data‑theft attacks aligns with the timeline ShinyHunters provided. The source material also notes ShinyHunters' pattern of targeting cloud and SaaS environments — Salesforce, Snowflake, third‑party integration partners, and other cloud services — and references a recent separate attack on Instructure Canvas in which the group stole 280 million records; Instructure reportedly paid a ransom to prevent that dataset from being leaked.

Data types exposed and geographic reach

According to Nissan's notifications, the personnel records managed in Oracle PeopleSoft—payroll, tax administration, and other personnel records—are central to the breach. The company specifically lists potential exposure of contact data, banking and direct deposit details, national identification numbers, tax and financial records, and information about dependents and beneficiaries. Nissan identified the likely affected regions as the U.S., Canada, Mexico, and Brazil, though it has not yet issued individualized notices beyond the initial disclosures.

What this means for Nissan employees, security teams, and regulators

  • Nissan employees: Those whose information is ultimately determined to have been exposed should expect targeted notifications from the company and an offer of credit and dark‑web monitoring where available. Procedural changes—such as restricting payroll changes to company networks or secured VPNs and adding identity verification—are already in effect.
  • Security teams and procurement leaders at organizations using Oracle PeopleSoft: The campaign underscores the urgency of applying Oracle's emergency mitigations for CVE-2026-35273 and of monitoring for follow‑on data leaks tied to PeopleSoft instances. Mandiant's attribution of exploitation between May 27 and June 9 provides a concrete window for retrospective hunting and log review.
  • Regulators and incident response coordinators: Nissan's notice to the California Attorney General and its cross‑border impact (U.S., Canada, Mexico, Brazil) highlight the transnational footprint of the campaign and the need for coordinated notification and remediation practices when core HR systems are compromised.

Nissan’s filing places the company among hundreds of organizations affected by a single, rapidly exploited PeopleSoft vulnerability. The disclosures from Oracle, Mandiant, and the public claims and postings by ShinyHunters leave a clear record of a multi‑organization intrusion campaign; Nissan’s next steps—finalizing its investigation, notifying affected individuals, and working with Oracle—will determine how many current and former employees ultimately face the fallout from the exposure.

Source: BleepingComputer — Nissan discloses employee data breach linked to Oracle zero-day attacks

AutomotiveData BreachEmerging ThreatsExploitationSupply ChainThreat ActorsOracle PeoplesoftCVE-2026-35273Nissan
Related Intelligence

Continue Reading

Brightly-lit office setting with a large window and subtle tech hint.

ShinyHunters Breach Exposes NAIC's Public Data

The National Association of Insurance Commissioners (NAIC) revealed that a breach exposed its public data after an unauthorized third party exploited a PeopleSoft vulnerability, identified as CVE-2026-35273, tied to the notorious ShinyHunters extortion group. This security issue allowed attackers to gain access to a portion of NAIC's IT systems, compromising sensitive information.

Analyst 207
Laptop on a desk with a Google Chrome browser window open displaying a search engine results page.

Malicious Chrome Extension Exploits Search Functionality for Data Interception

A malicious Chrome extension, masquerading as a popular AI search engine, was discovered to be secretly logging users' searches and address bar inputs, with Microsoft confirming that the data collection was no accident. The extension, since removed by Google, cleverly disguised itself as a legitimate tool, routing queries through an attacker-controlled server.

Analyst 207
Brightly-lit industrial setting shows subtle signs of disruption.

The Gentlemen Ransomware Gang Exposes Advanced Tactics

Meet The Gentlemen, a notorious ransomware gang that's made a name for itself with sophisticated tactics, ranking among the top 10 ransomware actors in just a few months. Since February 2026, they've been wreaking havoc across industries and geographies, with a strong presence in Brazil, China, Indonesia, Taiwan, and Thailand.

Analyst 207
Laptop in government office with blurred screen and papers nearby.

Mustang Panda Exploits Zoho WorkDrive in Indian Government Attacks

Meet the sneaky hackers known as Mustang Panda, who've been using a clever trick to steal sensitive info from Indian government machines - by hiding in plain sight within legitimate cloud traffic on Zoho WorkDrive. Their covert operation went undetected for 10 days, blending in seamlessly with routine cloud activity.

Analyst 207