Oracle Cloud Now Admits To Having Been Hacked
Following an initial denial, Oracle has now admitted to customers that a hacker broke into a computer system and stole ‘old’ client log-in credentials after breaching a legacy environment last used in 2017.
However, while Oracle told customers that this is ‘old’ legacy data and that it is not sensitive, the threat actor behind the attack has posted new data from 2025 on a hacking forum.
Now, Oracle has told clients that it has called in the leading cyber security firm, CrowdStrike, who are investigating the incident.
Another security firm, CybelAnglel, first revealed that Oracle told clients that an attacker who gained access to the company's Gen 1, which is also known as Oracle Cloud Classic, servers as early as January 2025 used a 2020 Java exploit to deploy a web shell and additional malware.
During the breach, detected in late February, the attacker, known as @rose87168, allegedly exfiltrated data from the Oracle Identity Manager (IDM) database, including user emails, hashed passwords, and usernames.
This comes after a threat actor placed 6 million data records for sale on a Dark Web criminal forum on March 20th 2025 and released multiple text files containing a sample database, LDAP information, and a list of the companies as proof that the data was legitimate, all of them apparently stolen from Oracle Cloud's federated SSO login servers.
Oracle continued to deny this, even after an archived URL showed that the threat actor uploaded a file containing their email address to one of Oracle's servers. Indeed, Oracle has consistently denied reports of a breach in Oracle Cloud since the incident surfaced and this is correct, to the extent that the breach was confined to an obsolescent platform, Oracle Cloud Classic.
The breach of an outdated platform has certainly had consequences for current users, and Oracle has now confirmed a breach of Oracle Health, which affected US healthcare organisations and hospitals. Oracle Health said it detected the breach of legacy data migration servers on February 20, 2025, and that the attackers used compromised customer credentials to penetrate these servers sometime after January 22, 2025.
This high profile breach is the latest example of the risk to identity and access information, even when hosted by the most experienced cloud infrastructure providers.
Bloomberg | Bleeping Computer | Cybelangel | Reuters | Tech Market Review | Security Week
Image: Ideogram
You Might Also Read:
Five Best Practices For Secure & Scalable Cloud Migration:
If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.
- Individual £5 per month or £50 per year. Sign Up
- Multi-User, Corporate & Library Accounts Available on Request
- Inquiries: Contact Cyber Security Intelligence
Cyber Security Intelligence: Captured Organised & Accessible