Oracle privately confirms Cloud breach to customers
Oracle has finally acknowledged to some customers that attackers have stolen old client credentials after breaching a "legacy environment" last used in 2017, Bloomberg reported.
However, while Oracle told clients this is old legacy data that is not sensitive, the threat actor behind the attack has shared data with BleepingComputer from the end of 2024 and posted newer records from 2025 on a hacking forum.
According to Bloomberg, the company also informed clients that cybersecurity firm CrowdStrike and the FBI are investigating the incident.
Cybersecurity firm CybelAngel first revealed that Oracle told clients that an attacker who gained access to the company's Gen 1 (also known as Oracle Cloud Classic) servers as early as January 2025 used a 2020 Java exploit to deploy a web shell and additional malware.
During the breach, detected in late February, the attacker allegedly exfiltrated data from the Oracle Identity Manager (IDM) database, including user emails, hashed passwords, and usernames.
This comes after a threat actor (known as rose87168) put up for sale 6 million data records on BreachForums on March 20 and released multiple text files containing a sample database, LDAP information, and a list of the companies as proof that the data was legitimate, all of them allegedly stolen from Oracle Cloud's federated SSO login servers.
When asked to confirm the authenticity of the leaked data, Oracle told BleepingComputer that "There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data."
Oracle denied this even after an archived URL showed that the threat actor uploaded a file containing their email address to one of Oracle's servers. This URL was subsequently removed from Archive.org, but an archive of the archive still exists.
However, days later, BleepingComputer confirmed with multiple companies that additional samples of the leaked data (including associated LDAP display names, email addresses, given names, and other identifying information) received from the threat actor were valid.
Oracle has consistently denied reports of a breach in Oracle Cloud in statements shared with the press since the incident surfaced. This is admittedly true since it aligns with the reports that Oracle is telling customers that the breach impacted an older platform known as Oracle Cloud Classic.
"Oracle rebadged old Oracle Cloud services to be Oracle Classic. Oracle Classic has the security incident," cybersecurity expert Kevin Beaumont confirmed on Monday. "Oracle are denying it on 'Oracle Cloud' by using this scope — but it’s still Oracle cloud services that Oracle manage. That’s part of the wordplay."
An Oracle spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today for more details on the Oracle Cloud breach.
Breach at Oracle Health
Last week, Oracle also notified customers of a breach at the software-as-a-service (SaaS) company Oracle Health(formerly Cerner), impacting multiple U.S. healthcare organizations and hospitals.
Even though the company has not publicly disclosed this incident, BleepingComputer confirmed that patient data was stolen in the attack, as confirmed by private communications between Oracle Health and impacted customers and from conversations with those involved.
Oracle Health said it detected the breach of legacy Cerner data migration servers on February 20, 2025, and that the attackers used compromised customer credentials to hack into the servers sometime after January 22, 2025.
Sources told BleepingComputer that the impacted hospitals are now being extorted by a threat actor named "Andrew," who has not claimed affiliation with extortion or ransomware groups.
The threat actor is demanding millions of dollars in cryptocurrency not to leak or sell the stolen data and has created clearnet websites about the breach to pressure the hospitals into paying the ransom.
BleepingComputer has contacted Oracle Health multiple times about this incident since March 4, but we have not received a reply.
Top 10 MITRE ATT&CK© Techniques Behind 93% of Attacks
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Texas State Bar warns of data breach after INC ransomware claims attack
Ivanti patches Connect Secure zero-day exploited since mid-March
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
InformationalSec-Fetch-User Header is Missing
InformationalBase64 Disclosure in WebSocket message
LowStrict-Transport-Security Malformed Content (Non-compliant with Spec)
InformationalAuthentication Request Identified
InformationalUsername Hash Found
HighSQL Injection
Free online web security scanner
