// #student-data
3 articles
Oracle PeopleSoft CVE-2026-35273 (CVSS 9.8): ShinyHunters Exploit Zero-Day to Breach University Student Records at Scale
A critical zero-day vulnerability in Oracle PeopleSoft Campus Solutions — CVE-2026-35273, CVSS 9.8 — has been exploited by the ShinyHunters threat group to breach student record systems at multiple universities across the US, UK, and Australia. The flaw allows unauthenticated attackers to bypass authentication in the PeopleSoft web application layer, granting direct access to student enrolment, financial aid, and academic records.
Instructure (Canvas LMS) Discloses Cybersecurity Incident — Scope of Student and Faculty Data Exposure Under Investigation
Instructure, the company behind Canvas Learning Management System used by thousands of universities and K-12 school districts globally, has disclosed a cybersecurity incident affecting an internal infrastructure component. The scope of student, faculty, and institutional data potentially exposed is under forensic investigation. Institutions running Canvas should activate their incident response contact with Instructure and review data sharing scope.
ShinyHunters Claims Infinite Campus Breach — 11 Million Student Records at Risk
Infinite Campus, the K-12 student information system used by over 3,200 school districts across 46 US states, has warned customers of a security incident after ShinyHunters claimed to have stolen data via a Salesforce ticketing system compromise on 18 March. The company confirmed the attack lasted 38 minutes and primarily exposed school staff contact details, asserting no student database access occurred — but the threat actor's extortion deadline has passed without resolution.