NAIC Confirms ShinyHunters PeopleSoft Zero-Day Breach Exposed Limited Data

The National Association of Insurance Commissioners (NAIC) has confirmed that threat actor ShinyHunters exploited a zero-day vulnerability in an Oracle PeopleSoft server to access its internal systems, though the U.S. insurance regulatory body insists only publicly available data, outdated logs, and configuration files were compromised. NAIC disclosed the incident on June 11 after detecting unauthorized access to a portion of its IT environment. The organization, which coordinates insurance regulation across all 50 states, has since remediated the affected systems and is deploying additional defenses to prevent recurrence. Organizations concerned about exposure can verify whether their credentials have surfaced using the email breach checker.

While ShinyHunters initially leaked stolen data following NAIC's refusal to pay a ransom, the threat actor's claims have since come under scrutiny. According to the group's own June 25 update, an earlier inventory of the haul was inflated due to AI hallucinations during analysis. The revised figure reportedly includes 3.1 TB of data spanning 105,000 files drawn from NAIC's INSData and Vision servers, 264,000 insurer regulatory filing PDFs dated between 2017 and 2024, roughly 2,000 customer and payment records, 45,000 rating agency files, AWS infrastructure configurations, and stored credentials for SERFF, OPTins, and UCAA production environments. NAIC has directly disputed the assertions of compromise against these critical regulatory platforms and maintains that no personally identifiable information or financial data was exposed. Given the alleged exposure of stored credentials, security teams should run any exposed passwords through the password checker and rotate them immediately.

The underlying vulnerability, tracked as CVE-2026-35273, affects both cloud and on-premises Oracle PeopleSoft deployments and has reportedly been leveraged against more than 100 organizations as part of an ongoing ShinyHunters extortion campaign. BleepingComputer documented the threat actor's zero-day activity prior to Oracle's public disclosure of the flaw. Operational fallout from the NAIC intrusion was notable: credit rating agencies temporarily suspended data feeds to the regulator, and NAIC paused investment designation work during the response window. Security teams running PeopleSoft instances should audit exposed services immediately, as attackers typically begin with perimeter reconnaissance—a process the port scanner can help formalize—before exploiting known enterprise application flaws.