Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jul 01, 2026 · 6 min read

Nissan Employee Data Stolen in Oracle Zero-Day Hack

Nissan Americas confirmed on June 29, 2026 that ShinyHunters stole Social Security numbers, banking details, and payroll records from current and former employees across the US, Canada, Mexico, and Brazil — via the Oracle PeopleSoft zero day CVE-2026-35273.

On June 29, 2026, Nissan Americas filed a data breach notification confirming that attackers had stolen Social Security numbers, banking details, and payroll records belonging to current and former employees across four countries. The culprit: CVE-2026-35273, a critical Server Side Request Forgery flaw in Oracle PeopleSoft that ShinyHunters exploited as a zero day for nearly two weeks before Oracle issued an emergency patch.

Key Takeaways

  • CVE-2026-35273 (CVSS 9.8) was actively exploited between May 27 and June 9, 2026 — a 13 day window before Oracle's out of band patch.
  • Nissan Americas confirmed exposure of employee contact information, banking details, Social Security numbers, Social Insurance Numbers (Canada), National Identification Numbers, and financial and tax records.
  • ShinyHunters (UNC6240) breached over 300 PeopleSoft instances across approximately 100 organizations in the same campaign, per Mandiant and Google Threat Intelligence Group analysis.
  • The breach notification covers current and former Nissan employees in the United States, Canada, Mexico, and Brazil; the full scope remains under investigation.
  • This is Nissan's latest confirmed breach in a string of incidents since 2023, spanning North America, Oceania, Japan, and now all four Americas markets.

What Employee Data Was Exposed?

Nissan's breach notification lists six categories of compromised data: employee contact information, banking account details, Social Security numbers (US employees), Social Insurance Numbers (Canada), National Identification Numbers (Mexico and Brazil), and financial and tax records. That combination is close to the worst possible outcome for an HR system breach. SSNs plus bank account numbers plus tax records gives an attacker everything needed to open fraudulent credit lines, redirect payroll deposits, or file false tax returns — all without the victim noticing immediately.

The affected population spans current and former employees across four countries. Nissan has not disclosed a specific headcount, and the notification states the full scope is still under investigation. For comparison, a 2023 Nissan North America breach — a separate incident — exposed data on more than 53,000 employees.

A corporate automotive office at night with empty desks and glowing monitors, conveying an enterprise HR and payroll system compromise

How Did Attackers Get In?

CVE-2026-35273 is a critical SSRF vulnerability in Oracle PeopleSoft PeopleTools, scoring 9.8 on the CVSS scale. The flaw is unauthenticated and remotely exploitable with low complexity — meaning attackers needed no valid credentials and no user interaction, only network access to an exposed PeopleSoft instance over HTTP.

Oracle issued an emergency out of band patch on June 10, 2026. CISA added CVE-2026-35273 to the Known Exploited Vulnerabilities (KEV) catalog two days later. The Nissan intrusion occurred entirely within the zero day window: Mandiant places the exploitation window at May 27 through June 9, 2026 — the 13 days before the patch existed.

For the full technical breakdown of the vulnerability and attack chain, see our technical breakdown of CVE-2026-35273. The focus here is what Nissan's disclosure tells us about corporate exposure in an enterprise wide campaign.

Who Else Was Hit?

Nissan is a named victim, but not even close to the only one. Mandiant and Google's Threat Intelligence Group confirmed that ShinyHunters — tracked internally as UNC6240 — compromised more than 300 PeopleSoft instances across approximately 100 organizations globally, per SecurityWeek's reporting.

Sixty eight percent of notified victims were in higher education. The University of Nottingham was among the first publicly confirmed cases: ShinyHunters reportedly exfiltrated 40GB covering roughly 450,000 current and former students, then posted the data on their leak site after the university declined to pay ransom. The National Association of Insurance Commissioners (NAIC), a US insurance regulatory body, subsequently confirmed its own breach via the same vulnerability.

Nissan represents the campaign's clearest corporate victim so far — a Fortune 500 employer whose HR system held payroll and tax data for employees across an entire hemisphere.

Is This a Pattern for Nissan?

Bluntly, yes. This is one of several confirmed Nissan breaches since 2023:

  • November 2023: Nissan North America — VPN exploitation exposed SSNs for more than 53,000 employees.
  • December 2023 / March 2024: Nissan Oceania — Akira ransomware stole data on 100,000 customers and employees.
  • Late 2025: Nissan Fukuoka Motor — 21,000 customer records stolen via a compromised third party system.
  • April 2026: Nissan Americas — 910GB of customer and loan data exposed via a vendor; see Nissan's fourth breach in four years.
  • May to June 2026: This breach — payroll and identity records stolen via the Oracle PeopleSoft zero day.

Repeated targeting is not coincidence. Threat actors share reconnaissance. An organization that has been successfully breached multiple times becomes a known target on criminal forums, with prior victim data used to improve social engineering for the next attempt.

Why Email Users Should Care

The combination of employee email addresses, SSNs, and payroll data now circulating on ShinyHunters' leak site creates a precise target list for spear phishing campaigns. Attackers who already know a victim's employer, salary band, tax filing status, and banking institution can craft highly personalized lures — payroll adjustment confirmations, HR policy updates, or fake tax notices — that are far harder to detect than generic phishing.

Employee email addresses harvested from PeopleSoft HR records are particularly valuable because they are verified, current, and associated with known employer relationships. When that data hits criminal markets, the phishing campaigns that follow tend to be surgical.

What Should Affected Nissan Employees Do?

Nissan is offering free credit monitoring and dark web monitoring to affected individuals. That is a reasonable starting point, not an endpoint. Four concrete steps:

  1. Place a credit freeze at all three bureaus (Equifax, Experian, TransUnion). A freeze is free under US federal law and blocks new credit accounts from being opened in your name — credit monitoring alerts you after the fact; a freeze prevents it.
  2. Contact your bank immediately about your account number. Banking details were explicitly listed in the breach. Ask your bank whether account numbers that appeared in the breach data can be rotated or flagged for enhanced verification.
  3. File an IRS Identity Protection PIN application. If your SSN was exposed, an IP PIN prevents anyone else from filing a federal tax return using your number. The IRS IP PIN program is free at irs.gov.
  4. Watch for targeted email lures. Expect phishing emails referencing your employer, payroll system, or HR department in the weeks ahead. The data now in circulation is detailed enough to make these messages look credible. Treat any unsolicited HR or payroll email — even one addressed to you by name — with skepticism and verify through internal channels before clicking.

Looking Ahead

Oracle's June 10 emergency patch covers CVE-2026-35273, but patching closes the door after the theft has already happened for organizations breached in the May 27 to June 9 window. Any company running an on premises or hosted PeopleSoft deployment that has not confirmed the patch is applied should treat the system as potentially compromised and initiate forensic review rather than waiting for signs of data exfiltration.

For Nissan specifically, the regulatory clock is now running across four jurisdictions simultaneously. US state breach notification laws, Canada's PIPEDA, Mexico's LFPDPPP, and Brazil's LGPD each impose different timelines and requirements — and the breadth of data categories exposed (banking, tax, national ID numbers) triggers obligations under all of them.

The broader lesson from this campaign is structural: a single unauthenticated network flaw in widely deployed enterprise HR software gave one threat group simultaneous access to employee payroll records at universities, insurers, and multinational manufacturers across three continents. The 13 day exploitation window before the patch existed is a reminder that zero days in enterprise software are not hypothetical — and the HR systems that hold the most sensitive employee data are precisely the targets attackers prioritize.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.