Current and former Nissan Americas employees across the U.S., Canada, Mexico, and Brazil are receiving an unwelcome notice: their Social Security numbers, bank account details, and tax records may now be in criminal hands — not because of anything they did, but because the software Nissan uses to manage payroll had a critical flaw in it. The company filed notice with the California Attorney General disclosing a cyberattack on Oracle’s PeopleSoft platform, the system managing employee records and payroll across hundreds of companies. How many Nissan employees are affected? The company hasn’t said. Protecting your password vaults has never been more urgent given the scale of such breaches.
One Flaw, 100+ Victims
A single Oracle PeopleSoft vulnerability required no password and no employee to trick — just an open port and a critical bug.
The vulnerability at the center of this incident, CVE-2026-35273, scores a 9.8 out of 10 on the CVSS severity scale. Arctic Wolf characterized it as “an immediate risk to any organization running an exposed, vulnerable instance.” It sits in PeopleTools’ Environment Management Hub, requires zero authentication, zero user interaction, and works over plain HTTP. The threat group ShinyHunters — tracked as UNC6240 by Mandiant and Google Threat Intelligence — weaponized it between May 27 and June 9, the exact window Nissan lists as its breach period.
Nissan believes attackers accessed:
- Social Security numbers, Social Insurance numbers, and national IDs
- Banking and direct-deposit details
- Financial and tax data
- Dependent and beneficiary information
- Contact records
Think of CVE-2026-35273 as a skeleton key that fits every apartment door in the building, not just one unit. According to Mandiant and Google Threat Intelligence, ShinyHunters compromised more than 100 organizations and roughly 300 PeopleSoft instances globally, hitting universities hardest but clearly reaching enterprise payroll environments too. These are part of a broader pattern of tech scandals that have repeatedly exposed millions of people through systemic corporate security lapses. Nissan has not formally confirmed a direct link to ShinyHunters, though the timeline and technical description — including the reference to “an unknown vulnerability in Oracle’s PeopleSoft software” in Nissan’s own employee FAQ — align closely with the known campaign.
What Nissan Is Doing – and What It’s Not Saying
Employees get tighter payroll controls and monitoring services, but several critical questions remain publicly unanswered.
Nissan activated its incident response plan, brought in outside security specialists, and is coordinating with Oracle and law enforcement, according to the California filing. On the practical side, employees can now access pay slips or change direct-deposit details only from a corporate network or secure VPN, with extra identity verification required before payroll changes are processed. The company also plans to offer credit monitoring and dark web monitoring services where available.
The gaps matter. Nissan has not disclosed the total number of affected employees, when Oracle first notified it of the breach, or whether the compromised PeopleSoft environment was Oracle-managed or Nissan-hosted. Oracle itself declined to answer media questions about the broader campaign, according to The Register.
If you’re among those affected, Nissan’s own guidance is straightforward:
- Change passwords on banking and email accounts — especially any you’ve reused
- Enable multi-factor authentication
- Monitor credit reports for unusual activity
- Reject any unsolicited requests for identity confirmation or banking details
- Report suspicious communications to [email protected]
Nissan has confirmed it will not request SSNs or banking details via unsolicited email, text, or phone call.
Attackers aren’t chasing fitness apps anymore. They’re targeting back-office systems — the ERP and HR platforms that function like a digital safety-deposit box holding decades of employee data, except this one had no lock. Cases like this echo reports of a secretly tracking users scenario, where trusted software conceals hidden risks. Your SSN doesn’t expire. Your tax records follow you for years. Credit monitoring helps, but it’s a long game from here.
