When a hundred organizations get robbed through the same lock, the problem was never the lock — it was that everyone bought the same one.

The Shared Software That Became a Skeleton Key

What happened: A hacking group known as ShinyHunters broke into more than 100 organizations by exploiting a previously unknown flaw in Oracle PeopleSoft — the software many large employers and institutions use to run payroll, HR records, and finances. The flaw was a "zero-day," meaning it was already being used in attacks before the vendor had a fix available, so victims had no patch to install when the break-ins began.

What's really going on: The story is told as a hacking crew's win, but the real subject is concentration. Most organizations no longer build the systems that hold their most sensitive records; they rent one of a handful of enterprise platforms, and PeopleSoft is one of the biggest. When that many institutions sit on the same software, a single undiscovered flaw stops being one company's problem and becomes a master key to all of them at once. The attackers didn't have to find a hundred weaknesses — they found one, in a product chosen precisely because it was the safe, standard, everyone-uses-it option. That standardization is what makes the damage hard to undo: you cannot quickly rip out the system that runs payroll for an entire institution.

Why most people are missing this: They read "100+ orgs hacked" as a story about a skilled crew, when the number is really a measure of how few vendors the whole economy now trusts with its core records.

The Take: The most dangerous thing about enterprise software isn't that it can be breached — it's that buying the market leader means you share a single point of failure with everyone else who made the same sensible choice.

Why it matters: As more institutions consolidate onto a shrinking set of platforms, the next hidden flaw in one of them won't hit a hundred organizations — it will hit a thousand, and they'll all find out on the same day.

Source: https://www.theregister.com/cyber-crime/2026/06/11/shinyhunters-claims-oracle-peoplesoft-0-day-hit-100-orgs/5254443

The tension is between efficiency and exposure. Standardizing on one dominant platform lowers cost and complexity for every buyer, which is why it keeps winning — but it quietly converts thousands of independent risks into one shared one. Convenience is beating resilience, because resilience has no line item and convenience shows up on every budget.

In 1988 the Morris Worm spread across the early internet and disabled an estimated tenth of the machines then connected — not because each was weak, but because they ran the same code with the same hole. Shared infrastructure has always meant shared failure.

POST: "100+ orgs hacked" reads like a story about a skilled crew. It isn't. It's a story about concentration: when that many institutions run the same enterprise platform, one undiscovered flaw becomes a master key to all of them. The hackers didn't find a hundred weaknesses — they found one, in the software everyone bought because it was the safe choice. That's the cost of standardizing: you share your single point of failure with everyone who made the same call.

TAKE: Buying the market-leading enterprise platform doesn't reduce your risk. It just means you get breached at the same moment as everyone else who made the smart, standard choice.