Some links in this student data breach post are affiliate links. If you buy through them, FutureCybers may earn a small commission at no extra cost to you. See our affiliate disclosure for details.
Quick answer: This student data breach is a big one. A hacking group called ShinyHunters broke into Oracle PeopleSoft systems at more than 100 organizations, most of them universities, and stole records on hundreds of thousands of students. If you’re a current or former college student, freeze your credit, turn on multi-factor authentication, and watch for breach-themed phishing. The steps below walk you through exactly what to do.
I’ve been writing about breaches for a while now, and most of them blur together after a bit. This one stuck with me. The data that got out isn’t just email addresses and the usual junk. We’re talking passport numbers, home addresses, and notes about students’ ethnicity and disabilities. That’s the kind of information you can’t change after it leaks. You can reset a password in thirty seconds. You can’t reset where you grew up.
So if you went to college recently, or you have a kid who’s enrolled somewhere, this is worth ten minutes of your attention. Here’s what happened and, more importantly, what to actually do about it.
How the ShinyHunters student data breach happened
Between late May and early June 2026, the cybercrime group ShinyHunters exploited a critical flaw in Oracle PeopleSoft, the back-office software a lot of schools and big companies run for HR, payroll, and student records. Security researchers at Google’s threat intelligence team tracked the activity across more than 300 PeopleSoft instances at over 100 organizations worldwide.
About 68 percent of the victims were in higher education, and most of those were in the United States. The bug they used, tracked as CVE-2026-35273, carries a severity score of 9.8 out of 10. In plain terms, that means an attacker could run their own code on a vulnerable server over the internet without needing a password. Oracle pushed out an emergency patch on June 10, the same day the attacks went public.
The first confirmed victim was the University of Nottingham, which has campuses in the UK, Malaysia, and China. ShinyHunters published more than 40 GB of stolen data covering close to half a million current and former students. Have I Been Pwned counted roughly 455,000 unique email addresses in the leaked set. And these aren’t isolated incidents from a quiet group. ShinyHunters is the same crew tied to the Instructure Canvas breach earlier this year, which touched thousands of schools.
Why this student data breach is scarier than most
Most breaches leak stuff you can fix. This one leaked stuff you mostly can’t.
Passport numbers are the big one. Combine a passport number with a name, a date of birth, and a home address, and you’ve handed a scammer a starter kit for opening accounts, filing fake tax returns, or impersonating someone. The notes on ethnicity and disability status are also deeply personal, the kind of detail nobody signs up to have posted on a leak site.
The other reason this matters is timing. ShinyHunters runs an extortion model. They steal the data, then pressure the school to pay up or watch it get dumped publicly. When schools don’t pay, the data goes out, and that’s usually when the scams start. Criminals love fresh breach data because it makes their phishing messages look real. A “your enrollment is at risk, log in to confirm” email lands a lot harder when it includes your actual student ID.
Am I affected by the Oracle PeopleSoft breach?
Honestly, you might not know for a while. Only a handful of victims have been confirmed publicly, and schools are still working through who got hit. Assume you could be exposed if you currently attend, or used to attend, a college or university that uses Oracle PeopleSoft for student or HR records.
The fastest free check is Have I Been Pwned. Type in your email, and it’ll tell you which known breaches include your address. Do it for every email you’ve used with a school, including the old .edu one you forgot about. It’s free, it takes a minute, and there’s no catch.
7 smart steps to survive this student data breach
You don’t need to do all of these in one sitting. But the first three are worth doing today.
1. Freeze your credit. This is the single most effective move, and it’s free at all three US bureaus (Equifax, Experian, and TransUnion). A freeze blocks new accounts from being opened in your name, which is exactly what an identity thief wants to do with leaked personal data. You can unfreeze it anytime in minutes when you actually need credit. If you have kids, you can freeze theirs too.
2. Turn on multi-factor authentication everywhere. Especially on email, since your inbox is the master key to everything else. App-based codes (like Google Authenticator or Authy) beat text messages, because SIM-swapping is a real thing. For accounts you really care about, a physical security key is the gold standard. It’s a little USB or tap-to-go device, and a phisher on the other side of the world simply can’t fake it. I keep one on my keychain and use it for my email and password manager. A hardware security key runs about the price of a couple of pizzas and lasts for years.
3. Treat every breach-themed message as a scam until proven otherwise. In the weeks after a big leak, expect emails and texts that look like they’re from your school, your bank, or even Oracle. They’ll ask you to “verify” a login, click a link, or pay a fee. Don’t. Go to the real website by typing the address yourself, or call a number you already trust. No legitimate school is going to text you a payment link.
4. Change reused passwords. If your leaked email used the same password somewhere else, change it. A password manager makes this painless and means you only ever memorize one strong password. This is one of the cheapest upgrades you can make to your whole digital life.
5. Protect your physical documents too. Since passport numbers are part of this leak, it’s a good moment to think about the physical side. An RFID-blocking wallet or passport sleeve stops anyone from skimming your card and passport chips while you travel. It’s a small thing, but for the price of a sandwich it closes one more door. You can grab an RFID-blocking passport wallet and not think about it again.
6. Set up account alerts. Turn on transaction alerts with your bank and card issuer so you get a ping the second something looks off. Most banks let you set a dollar threshold. It’s the financial equivalent of a smoke detector.
7. Keep an eye on your mail and your tax filing. Old-school identity theft still happens through the mailbox. Watch for accounts or bills you didn’t open. And file your taxes early, before a scammer can file a fake return in your name to grab your refund.
Extra steps for parents and younger students
If your child’s data was caught up in this, the stakes are a bit different. Kids don’t check their credit, so fraud against a minor can sit undetected for years until they apply for their first loan or apartment. Freeze your child’s credit at all three bureaus, ask the school what monitoring it’s offering, and keep records of any breach notification letters you receive. Those letters matter if you ever need to prove the timeline.
One thing I learned the hard way: don’t assume the school will reach out to you. Notifications are slow, and some students slip through the cracks entirely because they’ve graduated and their contact info is stale. Be proactive instead of waiting for a letter.
What this means for the bigger picture
Schools are a juicy target, and it’s not hard to see why. They hold decades of sensitive records, they often run older software, and their security budgets are thin. PeopleSoft is everywhere in that world, so one good exploit pays off across hundreds of institutions at once. Expect more of this, not less.
The takeaway isn’t to panic. It’s to build habits that make your data boring to steal. If you’re curious about how this stuff works under the hood, or you’ve ever thought about working in the field that fights these attacks, we’ve got a whole section on getting started in cybersecurity. And you can always find our latest breakdowns over at FutureCybers.
Frequently asked questions
Was my university hit by the ShinyHunters breach?
Only a few victims have been confirmed publicly so far, with the University of Nottingham being the first. Researchers found over 100 organizations affected, mostly US universities running Oracle PeopleSoft. Check your school emails for a breach notice and run your addresses through Have I Been Pwned to see if you turn up in the leaked data.
What data did the hackers steal?
Depending on the institution, the stolen records included names, home addresses, phone numbers, email addresses, dates of birth, student ID numbers, and in some cases passport numbers and details about ethnicity and disability status. The exact mix varies by school.
Is freezing my credit really worth it?
Yes, and it’s free. A credit freeze stops anyone from opening new accounts in your name, which is the most common way leaked personal data gets abused. You can lift it in minutes whenever you need to apply for credit yourself, so there’s very little downside.
Do I need to pay for identity theft protection?
Not necessarily. A free credit freeze, multi-factor authentication, and basic alertness cover most of what paid services do. Paid monitoring can be convenient if you’d rather have someone watch for you, but it’s an add-on, not a substitute for the free steps above.
FutureCybers is a participant in the Amazon Services LLC Associates Program. As an Amazon Associate we earn from qualifying purchases.