Nissan has disclosed a significant data breach affecting its current and former employees, warning that personal data was exfiltrated by threat actors who exploited a zero-day vulnerability in Oracle PeopleSoft — an enterprise software platform widely used for human resources and payroll management.
What Happened
According to Nissan's disclosure, attackers leveraged a previously unknown flaw in Oracle PeopleSoft to gain unauthorized access to systems containing employee records. The breach is being linked to the ShinyHunters extortion group, which has been behind a string of high-profile data theft operations in 2025 and 2026.
ShinyHunters has become notorious for exploiting enterprise software vulnerabilities to steal large volumes of personal and corporate data, often threatening to publish it unless a ransom is paid. The group's use of an Oracle zero-day indicates a significant level of technical sophistication and suggests the vulnerability may have been purchased or developed independently.
What Was Compromised
While Nissan has not publicly detailed the full scope of the breach, employee data breaches of this nature typically include:
- Full names and personal identifiers
- Contact information (addresses, phone numbers, email addresses)
- Employment details (job titles, departments, tenure)
- Government-issued identification numbers in some cases
Nissan is in the process of notifying affected individuals and has engaged security and legal teams to assess the full impact.
Oracle PeopleSoft Zero-Day Context
Oracle PeopleSoft is a critical business application used by enterprises globally for HR, finance, and supply chain operations. Zero-day vulnerabilities in such widely deployed enterprise platforms are highly valuable on the underground market — they enable attackers to compromise large organizations before patches are available.
This incident fits a broader pattern observed in 2026: threat actors, particularly ShinyHunters and affiliated groups, are acquiring or developing exploits for enterprise software platforms to accelerate large-scale data theft campaigns. Earlier in the year, the group was linked to multiple PeopleSoft-related intrusions, suggesting they may hold or have previously held a reliable exploit for the platform.
ShinyHunters: Prolific Data Extortionists
ShinyHunters has been active since at least 2020 and has claimed responsibility for dozens of major breaches. Their typical playbook involves:
- Initial access via vulnerability exploitation or credential stuffing
- Mass data exfiltration of user and employee databases
- Extortion demands with threats to publish stolen data on forums like BreachForums
Previous victims have included major retailers, telecommunications companies, financial institutions, and automotive manufacturers.
Recommendations for Organizations
If your organization uses Oracle PeopleSoft:
- Apply Oracle patches immediately — monitor Oracle's Critical Patch Update (CPU) advisories and any out-of-band emergency patches.
- Audit access logs — look for unusual authentication events or bulk data queries in PeopleSoft audit logs.
- Segment PeopleSoft deployments — ensure the platform is not directly internet-accessible and is protected by a WAF.
- Enable multi-factor authentication — reduce risk from credential-based initial access attempts.
- Review data minimization — ensure only necessary employee data is stored and accessible within the platform.
Employee Actions
Current and former Nissan employees who may be affected should:
- Monitor credit reports and bank accounts for unusual activity
- Be alert for phishing emails that may leverage stolen personal details
- Consider placing a fraud alert or credit freeze if notified of the breach
- Review notifications from Nissan closely for identity protection services being offered
Broader Implications
This breach underscores the risks posed by zero-day vulnerabilities in enterprise HR platforms. Unlike consumer-facing applications, enterprise systems like PeopleSoft hold particularly sensitive employee data — and breaches can affect thousands of individuals across multiple subsidiaries and geographies. The automotive sector has been a repeat target for data extortion groups in 2026, with several manufacturers disclosing incidents tied to enterprise software exploitation.