Oracle is privately confirming to customers that some of its cloud systems have been breached, and is apparently trying to downplay the impact of the incident.
A hacker who uses the online moniker ‘rose87168’ recently offered to sell millions of lines of data allegedly associated with over 140,000 Oracle Cloud tenants, including encrypted credentials. The hacker initially hoped to extort a $20 million payment from Oracle, but later offered to sell the data to anyone or trade it for zero-day exploits.
After the hacker’s claims came to light, Oracle categorically denied an Oracle Cloud hack, saying, “There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”
However, the hacker has been sharing various types of information to prove their claims, including a sample of 10,000 customer data records, a link to a file demonstrating access to Oracle cloud systems, user credentials, and a lengthy video that appears to have been recorded during an internal Oracle meeting.
Several security firms pointed out that the leaked customer information seems genuine and associated with a production environment. SecurityWeek and others have received confirmation from some Oracle Cloud customers that their data was included in the leak.
SecurityWeek has requested a statement from Oracle several times since the incident has come to light, but the company has not responded beyond the initial statement categorically denying a breach.
However, there are now several independent reports of Oracle privately notifying impacted customers and confirming that a data breach has occurred. On the other hand, details remain murky and there appears to be some conflicting information.
Bloomberg has learned from people familiar with the matter that Oracle has started privately informing customers of a data breach impacting usernames, passkeys and encrypted passwords. The FBI and CrowdStrike are reportedly investigating the incident.
According to some of Bloomberg’s sources, Oracle is telling customers that the incident involved a legacy environment that has not been in use for eight years and the compromised credentials pose little risk. A different source told the publication that some of the compromised credentials are from 2024.
Security firm CyberAngel learned from an unnamed source that ‘Gen 1’ cloud servers were impacted — newer ‘Gen 2’ servers were not — and the compromised information is at least 16 months old and does not include full personal details.
“Our source, who we are not naming as requested, is reporting that Oracle has allegedly determined an attacker who was in the shared identity service as early as January 2025,” Cyber Angel said.
“This exposure was facilitated via a 2020 Java exploit and the hacker was able to install a webshell along with malware. The malware specifically targeted the Oracle IDM database and was able to exfil data. Oracle allegedly became aware of a potential breach in late February and investigated this issue internally,” it added. “Within days, Oracle reportedly was able to remove the actor when the first demand for ransom was made in early March.”
The hacker has been claiming that information from 2025 was also compromised.
Cybersecurity researcher Kevin Beaumont, who has been following the story, learned from Oracle cloud customers that the notifications from the tech giant have been only verbal — there are no written notifications.
Beaumont believes that ‘Gen 1’ servers may be referring to Oracle Classic, the name given to old Oracle Cloud services. This “wordplay”, as Beaumont calls it, enables Oracle to deny that Oracle Cloud was breached.
“Oracle are attempting to wordsmith statements around Oracle Cloud and use very specific words to avoid responsibility. This is not okay. Oracle need to clearly, openly and publicly communicate what happened, how it impacts customers, and what they’re doing about it,” the researcher said.
Reports of an apparently unrelated Oracle Health data breach have also been circulating over the past days. According to Bleeping Computer, the information of patients from multiple US healthcare organizations was compromised in that incident.
Related: Two CVEs, One Critical Flaw: Inside the CrushFTP Vulnerability Controversy
Related: TalkTalk Confirms Data Breach, Downplays Impact
Related: Conduent Confirms Cyberattack After Government Agencies Report Outages
About The Author
Original post here
