Oracle Privately Confirms Data Breach After Public Denials
Oracle Corporation has quietly informed customers that a threat actor breached one of its legacy systems and stole old login credentials, marking a stark shift from its earlier public stance denying any security incident.
The confirmation follows weeks of mounting reports and comes as the second cybersecurity breach Oracle has disclosed to clients in recent months. According to a report by Bloomberg, Oracle staff told select customers that the compromised system referred to as a “legacy environment” contained sensitive authentication data, including usernames, passkeys, and encrypted passwords. The FBI and cybersecurity firm CrowdStrike are now involved in investigating the breach.
Breach Timeline and Response
This disclosure contradicts Oracle’s public statements from March, when reports emerged that a hacker was attempting to sell 6 million stolen records allegedly sourced from Oracle Cloud. At the time, Oracle insisted there had been no breach, stating, “The published credentials are not for Oracle Cloud.” The company maintained that no Oracle Cloud customer data was exposed.
However, cybersecurity experts accused Oracle of downplaying the incident by rebranding affected systems as “Oracle Classic” instead of “Oracle Cloud,” even though they were managed cloud services. “Oracle rebadged old Oracle Cloud services to be Oracle Classic,” said cybersecurity analyst Kevin Beaumont. “It’s still Oracle cloud services that Oracle manages.”
Fresh Data, Old System
Despite Oracle’s claims that the affected system had been dormant for eight years, internal sources revealed that some of the compromised data included credentials active as recently as 2024. The hacker, operating under the alias ‘rose87168’, initially demanded $20 million in ransom before offering the stolen data for sale on hacker forums.
The attack reportedly began in January 2025, with the threat actor deploying malware and a webshell targeting Oracle’s Identity Manager (IDM) database.
Another Breach in Healthcare Division
This breach is separate from another incident Oracle disclosed last month involving its healthcare division. Hackers reportedly exploited legacy Cerner data migration servers, gaining access after January 22, 2025, by using stolen credentials to extract patient data from several U.S. healthcare providers.
Legal Fallout and Security Concerns
Oracle’s handling of both breaches has led to legal repercussions. A class action lawsuit filed in Texas accuses the company of failing to protect users’ private information and delaying breach disclosure beyond the required 60-day window.
Security professionals have raised concerns about the broader implications for cloud security. “Customers trust cloud providers to ensure tenant isolation,” said Sunil Varkey of Beagle Security. “But if one breach can expose 6 million records across 140,000 tenants, that trust is seriously undermined.”
As of now, Oracle has not issued a public statement about either incident and continues to communicate privately with affected clients.
Found this article interesting? Follow us on X(Twitter) and FaceBook to read more exclusive content we post.
