Pierluigi Paganini
April 06, 2025
Oracle confirms a data breach and started informing customers while downplaying the impact of the incident.
A threat actor using the moniker ‘rose87168’ claimed to possess millions of data lines tied to over 140,000 Oracle Cloud tenants, including encrypted credentials.
The hacker has published 10,000 customer records, a file showing Oracle Cloud access, user credentials, and an internal video as proof of the hack.
rose87168 initially attempted to extort Oracle for $20 million, but later pivoted, offering the stolen data for sale or in exchange for zero-day exploits. The incident has raised serious concerns about the security of Oracle’s cloud infrastructure and the potential implications for affected customers.
Oracle denied the threat actor’s claims, stating there was no breach of Oracle Cloud and that the leaked credentials were unrelated. The company assured that no customer data was compromised.
“There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.” states the company.
BleepingComputer reported that multiple companies confirmed the leaked Oracle data as authentic, including accurate LDAP names, emails, and other identifiers. The hacker claimed full access to data on 6 million users and shared emails with Oracle, including one from a ProtonMail address allegedly tied to Oracle. Cybersecurity firm Cloudsek also noted that a vulnerable Oracle Fusion Middleware version was running on the compromised server. Oracle has since taken the server offline.
Oracle is privately notifying customers of a breach affecting usernames, passkeys, and encrypted passwords, with the FBI and CrowdStrike investigating the incident. Researcher Kevin Beaumont said that Oracle has only issued verbal breach notifications to cloud customers, with no written communication provided.
“Oracle Corp. has told customers that a hacker broke into a computer system and stole old client log-in credentials, according to two people familiar with the matter. It’s the second cybersecurity breach that the software company has acknowledged to clients in the last month.” reported Bloomberg.
Oracle confirmed that the incident impacted an unused legacy system, but a source told Bloomberg some compromised credentials date back to 2024
“Oracle are attempting to wordsmith statements around Oracle Cloud and use very specific words to avoid responsibility. This is not okay. Oracle need to clearly, openly and publicly communicate what happened, how it impacts customers, and what they’re doing about it. This is a matter of trust and responsibility. Step up, Oracle — or customers should start stepping off.” Beaumont wrote.
“Update 1 — Oracle rebadged old Oracle Cloud services to be Oracle Classic. Oracle Classic has the security incident. Oracle are denying it on “Oracle Cloud” by using this scope — but it’s still Oracle cloud services that Oracle manage. That’s part of the wordplay.
Update 2 — although Oracle used the archive.org exclusion process to remove evidence of writing to one of the Oraclecloud.com webservers, they forgot to remove the 2nd URL (click picture for hyperlink).“
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data breach)
