Jul 01, 2026 · 6 min read
ShinyHunters Breach Exposes 454K Nottingham Students
The University of Nottingham confirmed on June 11, 2026 that ShinyHunters stole more than 40GB of data on 454,600 current and former students across its UK, Malaysia, and China campuses — then published it after the university refused to pay.
On June 11, 2026, the University of Nottingham confirmed what ShinyHunters had already made public: 454,600 current and former students across its UK, Malaysia, and China campuses had their personal data stolen and dumped online. The gang's ask went unanswered. The data — more than 40GB — was published anyway.
Key Takeaways
- ShinyHunters (also tracked as UNC6240) stole 40GB of data covering 454,600 University of Nottingham students and alumni across three countries.
- CVE-2026-35273, a CVSS 9.8 critical remote code execution flaw in Oracle PeopleSoft PeopleTools, was a key component of the attack; exploitation began as a zero day on May 27, 2026.
- Data exposed includes full names, passport numbers, dates of birth, home addresses, ethnicity, disability status, academic records, and student finance details — plus approximately 455,000 email addresses.
- The University of Nottingham is one of more than 100 organizations hit in a ShinyHunters campaign targeting 300+ Oracle PeopleSoft instances; 68% of victims were in higher education.
- The university reported the breach to the UK Information Commissioner's Office (ICO) and Action Fraud, and contacted affected individuals directly.
What Data Was Stolen?
The exposed dataset covers nearly every dimension of a student's university life. ShinyHunters published records containing full legal names, email and home addresses, phone numbers, dates of birth, passport numbers, ethnicity, disability information, academic enrollment records, and student finance and payment details. Some reporting also identified credit card information in the leaked files.
That combination — a real name paired with a passport number, date of birth, and email address — is more than enough to commit identity fraud, open credit accounts, or craft highly convincing phishing messages. According to BleepingComputer's coverage, the breach affects students from Nottingham's campuses in the United Kingdom, Malaysia, and China, making the affected population genuinely international in scope.
How Did ShinyHunters Get In?
The gang exploited Oracle PeopleSoft — the enterprise platform that most large universities use to manage student records, finance, and HR. The specific entry point was CVE-2026-35273, a critical CVSS 9.8 flaw in PeopleTools that Oracle had not yet patched when attacks began. Because the exploit arrived before the vendor's June 10 advisory, every victim was hit by a zero day.
Google's Mandiant team (Google Threat Intelligence Group) traced the earliest confirmed exploitation to May 27, 2026. Within minutes, ShinyHunters had installed a legitimate remote management tool repurposed as command and control infrastructure and set up SSL certificates under a spoofed cloud domain to blend into normal traffic. The dwell period ran until at least June 9 — nearly two weeks of quiet exfiltration before the university knew anything was wrong.
The attack is part of a broader campaign. The Register reported that ShinyHunters claims to have breached more than 100 organizations through 300+ PeopleSoft instances. Sixty eight percent of victims were in higher education, the majority in the US. Nissan Americas and the National Association of Insurance Commissioners were also hit — a reminder that this is not a campaign targeting universities specifically, but one that happened to find them disproportionately exposed. Notably, Nissan had already suffered repeated breaches in recent years; Nissan's fourth breach in four years followed a similar pattern of exfiltration and delayed disclosure.
Why Does Higher Education Get Hit Harder?
Universities hold decades of records on students who passed through their doors and never deactivated their accounts. The University of Nottingham's breach covers people who may have studied there years ago — alumni whose data sat in a live PeopleSoft instance simply because nobody migrated or purged it.
There is a structural problem too. Enterprise software like PeopleSoft requires complex, multi team patching cycles. A critical vulnerability disclosed on a Tuesday does not get applied by Wednesday when the affected system is a university's central student information platform. Attackers know this. ShinyHunters specifically chose PeopleSoft because the patching lag is predictable.
What This Means for Your Inbox
455,000 real email addresses — paired with accurate names, dates of birth, and passport numbers — form a ready made phishing list. Anyone who received a notification from the University of Nottingham after June 11 is already confirmed active. Attackers can now send messages that reference your exact enrollment year, your campus, or your student ID number, making the lure far more convincing than a generic scam. Leaked email addresses from breaches like this one are routinely loaded into phishing platforms within days of publication, targeting recipients with "urgent account" or "student loan" pretexts that use real personal details to build false legitimacy.
Are You a Nottingham Student or Alum?
The breach covers current and former students across all three campuses. If you studied at Nottingham — in the UK, Malaysia, or China — at any point in the university's recent history, assume your data is in the leaked set.
What Should Affected Students Do?
- Check Have I Been Pwned. Search your email address at haveibeenpwned.com to confirm whether your record appears in the leaked dataset.
- Watch for targeted phishing. Any message that references your enrollment year, course, campus, or student ID should be treated as suspicious — even if the sender address looks official. The leaked data gives attackers enough to personalize attacks convincingly. Do not click links in unexpected emails about student finance, loan repayments, or account verification.
- Alert your bank and monitor your credit. Passport numbers plus financial records is a combination used in identity fraud and account opening. Contact your bank to note the breach, and consider placing a notice of correction on your credit file with the UK's main credit reference agencies (Experian, Equifax, TransUnion). If you are outside the UK, follow the equivalent process in your country.
- Flag your passport if necessary. If your passport number was in the exposed records and you are concerned about misuse, contact HM Passport Office to discuss your options. A stolen passport number alone does not void a passport, but it can be used in conjunction with other data for fraudulent applications.
The ICO Is Watching
The University of Nottingham has reported the incident to the UK's Information Commissioner's Office and to Action Fraud. Under UK GDPR, organizations must notify the ICO within 72 hours of becoming aware of a qualifying breach — and with 454,600 individuals' sensitive records published online, this clearly qualifies. The ICO has the power to issue fines of up to £17.5 million or 4% of global annual turnover, whichever is higher.
This breach joins a pattern the ICO has been watching closely. A university sector that holds sensitive personal data — including special category data such as ethnicity and disability — on hundreds of thousands of individuals is exactly the kind of controller the regulator expects to maintain robust patching discipline and data minimization practices. Whether Nottingham had both will become clear as the investigation proceeds.
Looking Ahead
ShinyHunters is still active. More than 100 organizations were notified as part of this campaign, and confirmed disclosures have been arriving steadily since mid June. If your employer, insurer, or any institution you interacted with uses Oracle PeopleSoft and has not yet confirmed it patched CVE-2026-35273, the story may not be over. Sysco was another early victim — ShinyHunters dumped 2.7 million Sysco emails when that deadline passed too.
Oracle issued its out of band advisory on June 10, one day before the University of Nottingham disclosure. If you are in a security or IT role at any organization running PeopleSoft, the patch is not optional.