Pierluigi Paganini
April 10, 2025
Oracle confirmed a hacker stole and leaked credentials from two obsolete servers, but said no Oracle Cloud systems or customer data were affected. The threat actor accessed usernames from two outdated, non-Oracle Cloud Infrastructure (OCI) servers, but no customer data was exposed.
“Oracle would like to state unequivocally that the Oracle Cloud—also known as Oracle Cloud Infrastructure or OCI—has NOT experienced a security breach,” reads the notification sent by Oracle to its customers, including an Italian organizations that shared the image with Security Affairs.”No OCI customer environment has been penetrated. No OCI customer data has been viewed or stolen. No OCI service has been interrupted or compromised in any way,”
Last week, Oracle confirmed a data breach and started informing customers while downplaying the impact of the incident.
A threat actor using the moniker ‘rose87168’ claimed to possess millions of data lines tied to over 140,000 Oracle Cloud tenants, including encrypted credentials.
The hacker has published 10,000 customer records, a file showing Oracle Cloud access, user credentials, and an internal video as proof of the hack.
rose87168 initially attempted to extort Oracle for $20 million, but later pivoted, offering the stolen data for sale or in exchange for zero-day exploits. The incident has raised serious concerns about the security of Oracle’s cloud infrastructure and the potential implications for affected customers.
Oracle denied the threat actor’s claims, stating there was no breach of Oracle Cloud’s systems and that the leaked credentials were unrelated. The company assured that no customer data was compromised.
“There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.” states the company.
Cyber security firm CybelAngel first reported that Oracle communicated to stakeholders about a security breach.
“CybelAngel has received information from a threat intelligence source that reports Oracle has communicated to stakeholders regarding a security incident involving their Gen 1 servers.” reported CybelAngel. “Our source, who we are not naming as requested, is reporting that Oracle has allegedly determined an attacker who was in the shared identity service as early as January 2025.”
BleepingComputer also reported that multiple companies confirmed the leaked Oracle data as authentic, including accurate LDAP names, emails, and other identifiers. The hacker claimed full access to data on 6 million users and shared emails with Oracle, including one from a ProtonMail address allegedly tied to Oracle. Cybersecurity firm Cloudsek also noted that a vulnerable Oracle Fusion Middleware version was running on the compromised server. Oracle has since taken the server offline.
Oracle initially privately notified customers of a breach affecting usernames, passkeys, and encrypted passwords, with the FBI and CrowdStrike investigating the incident. Researcher Kevin Beaumont said that Oracle has only issued verbal breach notifications to cloud customers, with no written communication provided.
“Oracle Corp. has told customers that a hacker broke into a computer system and stole old client log-in credentials, according to two people familiar with the matter. It’s the second cybersecurity breach that the software company has acknowledged to clients in the last month.” reported Bloomberg.
Oracle confirmed that the incident impacted an unused legacy system, but a source told Bloomberg some compromised credentials date back to 2024
“Oracle are attempting to wordsmith statements around Oracle Cloud and use very specific words to avoid responsibility. This is not okay. Oracle need to clearly, openly and publicly communicate what happened, how it impacts customers, and what they’re doing about it. This is a matter of trust and responsibility. Step up, Oracle — or customers should start stepping off.” Beaumont wrote.
“Update 1 — Oracle rebadged old Cloud services to be Oracle Classic. Oracle Classic has the security incident. Oracle are denying it on “Oracle Cloud” by using this scope — but it’s still Oracle cloud services that Oracle manage. That’s part of the wordplay.
Update 2 — although Oracle used the archive.org exclusion process to remove evidence of writing to one of the Oraclecloud.com webservers, they forgot to remove the 2nd URL (click picture for hyperlink).“
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Oracle)
