Oracle privately confirms Cloud breach to customers

April 3, 2025

Oracle Health

Oracle has finally acknowledged to some customers that attackers have stolen old client credentials after breaching a "legacy environment" last used in 2017, Bloomberg reported.

However, while Oracle told clients this is old legacy data that is not sensitive, the threat actor behind the attack has shared data with BleepingComputer from the end of 2024 and posted newer records from 2025 on a hacking forum.

According to Bloomberg, the company also informed clients that cybersecurity firm CrowdStrike and the FBI are investigating the incident.

Cybersecurity firm CybelAngel first revealed that Oracle told clients that an attacker who gained access to the company's Gen 1 (also known as Oracle Cloud Classic) servers as early as January 2025 used a 2020 Java exploit to deploy a web shell and additional malware.

During the breach, detected in late February, the attacker allegedly exfiltrated data from the Oracle Identity Manager (IDM) database, including user emails, hashed passwords, and usernames.

This comes after a threat actor (known as rose87168) put up for sale 6 million data records on BreachForums on March 20 and released multiple text files containing a sample database, LDAP information, and a list of the companies as proof that the data was legitimate, all of them allegedly stolen from Oracle Cloud's federated SSO login servers.

*Threat actor selling data allegedly stolen from Oracle Cloud (BleepingComputer)*

When asked to confirm the authenticity of the leaked data, Oracle told BleepingComputer that "There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data."

Oracle denied this even after an archived URL showed that the threat actor uploaded a file containing their email address to one of Oracle's servers. This URL was subsequently removed from Archive.org, but an archive of the archive still exists.

However, days later, BleepingComputer confirmed with multiple companies that additional samples of the leaked data (including associated LDAP display names, email addresses, given names, and other identifying information) received from the threat actor were valid.

Oracle has consistently denied reports of a breach in Oracle Cloud in statements shared with the press since the incident surfaced. This is admittedly true since it aligns with the reports that Oracle is telling customers that the breach impacted an older platform known as Oracle Cloud Classic.

"Oracle rebadged old Oracle Cloud services to be Oracle Classic. Oracle Classic has the security incident," cybersecurity expert Kevin Beaumont confirmed on Monday. "Oracle are denying it on 'Oracle Cloud' by using this scope — but it’s still Oracle cloud services that Oracle manage. That’s part of the wordplay."

An Oracle spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today for more details on the Oracle Cloud breach.

Breach at Oracle Health

Last week, Oracle also notified customers of a breach at the software-as-a-service (SaaS) company Oracle Health(formerly Cerner), impacting multiple U.S. healthcare organizations and hospitals.

Even though the company has not publicly disclosed this incident, BleepingComputer confirmed that patient data was stolen in the attack, as confirmed by private communications between Oracle Health and impacted customers and from conversations with those involved.

Oracle Health said it detected the breach of legacy Cerner data migration servers on February 20, 2025, and that the attackers used compromised customer credentials to hack into the servers sometime after January 22, 2025.

Sources told BleepingComputer that the impacted hospitals are now being extorted by a threat actor named "Andrew," who has not claimed affiliation with extortion or ransomware groups.

The threat actor is demanding millions of dollars in cryptocurrency not to leak or sell the stolen data and has created clearnet websites about the breach to pressure the hospitals into paying the ransom.

BleepingComputer has contacted Oracle Health multiple times about this incident since March 4, but we have not received a reply.