ShellCodeX
Tools โ€ข Events โ€ข News โ€ข Insights
ShellCodeX Breach Report

JCPenney Data Breach

jcpenny.com
Limited exposure
Verified breach
Accounts exposed 368,418
Breach date 12 Jun 2026
Added to tracker 20 Jun 2026
Data classes 8

What happened

In June 2026, retailer JCPenney and associated brands were targeted in a ShinyHunters "pay or leak" extortion campaign. Data allegedly obtained from JCPenney through the exploitation of a critical zero-day vulnerability in Oracle PeopleSoft was later published publicly. The exposed records indicated they primarily related to internal HR systems and impacted current and former employees. The data included 368k corporate and personal email addresses, names, dates of birth, Social Security numbers, phone numbers and home addresses.

Exposed data

Dates of birth Email addresses Government issued IDs Job titles Names Phone numbers Physical addresses Usernames

Recommended actions

  • Watch for targeted phishing emails referencing JCPenney โ€” attackers weaponise breach data quickly.
  • Stay alert for smishing (SMS phishing) and SIM-swap attempts using your phone number.
  • Exposed identity data raises identity-theft risk โ€” consider credit monitoring or a credit freeze.
  • Check whether your email address appears in this breach on haveibeenpwned.com.
Am I affected? Check whether your email address appears in this breach.
Check on HIBP