Oracle Confirms Data Breach in Legacy Cloud Systems: What You Need to Know

Oracle confirms data breach that a hacker accessed two legacy, deprecated servers—not part of Oracle Cloud Infrastructure (OCI)—leaking login credentials such as usernames, passkeys, and encrypted passwords. These credentials may date from as recently as 2024, despite Oracle initially claiming they were from systems unused since 2017–2018. Let’s understand Oracle Data Breach.

The hacker, known as rose87168, is said to have attempted extortion, offering the data for sale or exchange and seeking payment to delete compromised records. Oracle continues to assert that OCI remains secure, maintaining no customer data was accessed, viewed, or stolen.

Scope & Impact

• Researchers and security firms (e.g., CloudSEK) corroborate the hacker’s claims, asserting that more than 6 million records were exfiltrated, affecting over 140,000 tenant organizations.
• CISA (U.S. Cybersecurity and Infrastructure Security Agency) issued an official alert, warning about the substantial risks posed by stolen credentials—especially when they are embedded in scripts or systems, which make detection difficult.
• Law enforcement investigations involving the FBI and CrowdStrike are underway.
• A class-action lawsuit has been filed, alleging Oracle’s failure to promptly notify affected customers and secure their data, raising concerns of potential identity theft and fraud.

Who Is “rose87168” & How Did They Do It?

• Threat Actor Details
  The hacker marketed stolen data on dark web forums, demanding ransom or offering data exchange for zero-day vulnerabilities.
• Method of Breach
  Reports point to exploitation of a Java vulnerability (CVE-2021-35587 or similar), enabling deployment of malware and web shell into Oracle’s identity management systems. Attack spanned from around January to February 2025.

Anatomy of the Attack

According to multiple reports, attackers exploited a known Java vulnerability to infiltrate Oracle’s legacy systems. The main target was the Oracle Identity Manager (IDM) database, used to manage authentication and identity access.

Once inside, the attacker accessed and exfiltrated:

• Usernames and email addresses
• Hashed passwords
• Encrypted SSO and LDAP credentials
• Java Key Store (JKS) files and sensitive security keys

The breach is believed to have affected over 140,000 Oracle Cloud Classic tenants, with more than 6 million records stolen. Alarmingly, the attacker attempted to sell the stolen data on dark web forums and even sought help to decrypt credentials—raising the risk of downstream attacks.

Investigations & Regulatory Response

• Law Enforcement & Internal Investigations
  The FBI and security firm CrowdStrike have been engaged to investigate the breach.
• Governmental Alerts
  CISA issued guidance on April 16, 2025, highlighting critical risks tied to credential theft—especially when embedded in code or infrastructure.
  Other advisories from HIPAA Journal and media confirmed the incident’s impact and need for action.

Oracle Confirms Data Breach: What Data Was Compromised?

Preliminary investigations reveal that approximately 6 million records were compromised, impacting over 140,000 Oracle cloud tenants. The stolen data reportedly includes:

The threat actor attempted to sell the stolen data on dark web forums and even requested help to decrypt credentials. This significantly increases the risk of credential-based attacks.

Oracle’s Response: Clarity or Confusion?

Oracle’s public handling of the incident has been criticized for lack of clarity. Initially, the company stated, “There has been no breach of Oracle Cloud,” referring narrowly to its modern Gen 2 environment.

However, security professionals such as Kevin Beaumont pointed out the semantic maneuvering:

Oracle rebadged old Oracle Cloud services to be Oracle Classic. Oracle Classic has the security incident. Oracle are denying it on ‘Oracle Cloud’ by using this scope.

While Oracle later confirmed the breach privately to impacted clients and engaged CrowdStrike and the FBI for investigation, the absence of a transparent, public advisory has raised concerns about vendor accountability in cybersecurity.

Who Is Affected and What Should You Do?

Organizations that use or have used Oracle Cloud Classic (Gen 1) should assume exposure unless officially cleared by Oracle.

• Organisations using Oracle Cloud Classic (Gen 1)
• Indirectly, SaaS providers built on Oracle infrastructure
• Partners and customers storing credentials in integrated systems

Recommended Actions:

1. Reset All Credentials
   Immediately rotate all passwords, tokens, and keys—especially those tied to legacy Oracle services.
2. Enable Multi-Factor Authentication (MFA)
   If not already enforced, MFA adds a crucial second layer of defense.
3. Conduct a Security Audit
   Examine logs for suspicious access and scan for shadow IT deployments connected to Oracle Classic.
4. Review Third-Party Integrations
   Assess vendor risk, particularly if other systems consume Oracle IDM or cloud APIs.

The breach involving Oracle Cloud Classic is a wake-up call for any organization relying on outdated systems. While Oracle Cloud Infrastructure Gen 2 remains secure, the incident highlights the pressing need to modernize, enhance visibility, and enforce robust cloud security policies.

Frequently Asked Questions (FAQ)

Read More –

• A Top 5 Disruptive Trend in Cybersecurity for 2025
• Cloud Security Best Practices Every CISO Needs to Master
• Safeguarding Your Digital World: The Ultimate Data Protection Strategy Guide
• Social Media Privacy Invasion: What Platforms Really Know About You
• Third Party Risk Assessment: Vendor Due Diligence Requirements