Oracle Issues Private Notification of Cloud Data Breach to Clients
April 06, 2025 
Oracle Acknowledges Cloud Data Breach While Downplaying Its Severity
Oracle has confirmed a recent data breach involving its cloud services, notifying clients while attempting to minimize the incident’s significance. The breach reportedly stems from unauthorized access by a hacker known as ‘rose87168,’ who claims to have obtained extensive datasets associated with over 140,000 Oracle Cloud users, including encrypted credentials.
The hacker has disclosed 10,000 customer records, including a file containing Oracle Cloud access credentials and an internal video as evidence of the breach. Initially, rose87168 sought to extort Oracle for $20 million, but later offered the compromised data for sale or in exchange for undisclosed zero-day exploits. This situation has raised alarms regarding the security defenses of Oracle’s cloud infrastructure and the potential ramifications for its clients.
In response to the breach, Oracle has denied that any data has been compromised, asserting that the leaked credentials are not related to its cloud services. The company has firmly stated that “there has been no breach of Oracle Cloud” and that no customers have experienced loss of data.
However, findings from BleepingComputer confirm that multiple organizations have verified the authenticity of the leaked Oracle data, which includes accurate LDAP names, email addresses, and other identifying information. The hacker has claimed access to data from six million users and has even shared emails with Oracle, including one from a ProtonMail account allegedly associated with the company. Cybersecurity firm Cloudsek has also indicated that a vulnerable version of Oracle Fusion Middleware was in use on the compromised server, which Oracle has subsequently taken offline.
Currently, Oracle is privately notifying affected customers regarding compromised usernames, passkeys, and encrypted passwords, while federal law enforcement agencies, including the FBI, are collaborating with CrowdStrike to investigate the breach. Security researcher Kevin Beaumont mentions that Oracle has primarily communicated the breach verbally to clients without providing formal written notifications.
Reports indicate that Oracle has acknowledged this breach as affecting an legacy system that had not been in active use, although some of the compromised credentials may date back to 2024. This incident marks the second cybersecurity breach Oracle has recognized to its clients within a month, raising further concerns among those impacted.
Industry observers criticize Oracle’s communications strategy, emphasizing that the company appears to be deliberately selective in its phrasing to mitigate responsibility. They stress the importance of transparency and accountability, urging Oracle to provide clear and comprehensive information regarding the breach and its implications for customers.
The ongoing investigation may reveal further details about the tactics employed in the attack, which could include methods categorized under the MITRE ATT&CK framework such as initial access, privilege escalation, and persistence. This highlights the critical need for businesses to remain vigilant in their cybersecurity practices as they navigate the increasingly complex threat landscape.
Follow me on Twitter: @securityaffairs, on Facebook, and on Mastodon.
(SecurityAffairs – hacking, data breach)
