Oracle has warned customers about a serious security vulnerability in its PeopleSoft human resources and payroll management software, TechCrunch reported on June 11.

The report said the warning came a day after cybercrime group ShinyHunters claimed it breached more than 100 organisations using PeopleSoft servers.

Google-owned threat intelligence firm Mandiant said the vulnerability referenced by Oracle is the same bug ShinyHunters is exploiting to attack PeopleSoft customers.

Mandiant said it notified more than 100 organisations worldwide about the vulnerability. Most of them are in the United States, and about two-thirds are higher education institutions. Mandiant said, "Some organisations blocked the attack or remediated the vulnerability, but others were breached and stolen data was published on ShinyHunters' leak site."

Oracle has not released a patch for the vulnerability so far. The bug can be exploited over the internet without authentication such as a password. Oracle recommended that PeopleSoft customers apply mitigations to prevent exploitation.

ShinyHunters claimed it breached companies by exploiting an unpatched PeopleSoft server vulnerability. In a message sent to a victim school, ShinyHunters claimed it stole hundreds of thousands of student records across the entire campus, including names, addresses, phone numbers, dates of birth, grade point averages, majors and student ID numbers.

ShinyHunters has attacked companies using Salesforce, Gainsight and Instructure software over the past year. It has sought ransoms by finding vulnerable software and the companies using it, stealing data and threatening to publish it.