Nissan is warning that it suffered a data breach affecting current and former employees after threat actors exploited an Oracle PeopleSoft vulnerability in data theft attacks previously linked to the ShinyHunters extortion group.
In breach notifications filed with the California Attorney General’s Office, Oracle says these data theft attacks impacted hundreds of companies and that Nissan was specifically targeted in the campaign.
“Nissan Americas uses Oracle PeopleSoft software to manage employee information, including payroll, tax administration, and other personnel records,” reads the breach notifications.
“Oracle has informed us that there was a cyber event and that the personnel records of hundreds of companies may have been obtained by so-called threat actors. We have since learned that Nissan was specifically targeted in this attack.”
Nissan says it is still in the early stages of the investigation and has not yet determined the full impact of the breach, but believes attackers accessed personal information that may include employee contact information, banking information, Social Security numbers, Social Insurance Numbers, National Identification Numbers, financial and tax information, and dependent and beneficiary information.
The incident is believed to impact current and former Nissan employees in the United States, Canada, Mexico, and Brazil.
Nissan says it activated its incident response after learning it had suffered a data breach, engaged external cybersecurity experts, secured affected systems, and is working with Oracle to address the issue.
The company says it also took steps to end unauthorized access and prevent further disclosure of employee information and will offer free credit and dark web monitoring services to affected individuals where available.
As an additional precaution, Nissan says it is restricting access to employee pay slips and direct deposit changes to company network computers or secured VPN connections while it implements additional identity verification measures before processing payroll requests.
The automaker says that employees whose information is ultimately determined to have been exposed will receive additional notifications detailing what data was impacted.
Linked to ShinyHunters PeopleSoft zero-day attacks
The disclosure is believed to stem from the widespread exploitation of Oracle PeopleSoft servers first reported by BleepingComputer earlier this month.
As first reported, threat actors exploited a zero-day vulnerability in Oracle PeopleSoft to breach instances and steal data.
The ShinyHunters extortion gang claimed responsibility for the attacks, telling BleepingComputer that over 300 PeopleSoft instances across 100 organizations were breached.
Soon after, Oracle disclosed a critical vulnerability in Oracle PeopleSoft PeopleTools, tracked as CVE-2026-35273, and released emergency mitigations.
While Oracle has still not publicly confirmed that the flaw was exploited, Mandiant later confirmed that threat actors exploited the Oracle PeopleSoft CVE-2026-35273 vulnerability as a zero-day in data theft attacks between May 27 and June 9.
These attacks primarily impacted organizations in the education sector, and Mandiant said it notified over 100 organizations, confirming the information previously shared by ShinyHunters.
Since then, ShinyHunters has begun leaking data stolen in these attacks on its data leak site, including for the Nottingham University and the National Association of Insurance Commissioners (NAIC) .
The threat actors are a well-known extortion group that commonly targets Salesforce, Snowflake, third-party integration partners, and other cloud SaaS environments for data theft.
ShinyHunters recently targeted the education sector in a separate cyberattack on Instructure Canvas, stealing 280 million data records from students, teachers, and staff. Instructure later paid a ransom to prevent the data from being leaked.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
