It’s been a tense few weeks for businesses relying on Oracle’s E-Business Suite (EBS), as a sweeping cyberattack has left more than 100 companies on edge. According to Google’s threat intelligence team and Mandiant, a large-scale extortion campaign began in September 2025, targeting organizations that depend on Oracle’s widely used business software. The attackers—who claim to be affiliated with the notorious CL0P extortion brand—have been sending a barrage of emails to executives, falsely asserting that sensitive data was stolen from their Oracle EBS environments.
Google’s security researchers sounded the alarm in a blog post on October 10, 2025, urging Oracle customers to apply emergency patches immediately. They weren’t mincing words, warning that the hackers may have exploited a zero-day vulnerability as early as August, weeks before Oracle released a patch. Some suspicious activity even goes back to July, raising fears that the breach may have been festering undetected for months. As Reuters’ Raphael Satter reported, the breach “may have started months ago” and involved “mass amounts of customer data” being stolen.
Oracle, for its part, confirmed that vulnerabilities exploited by the attackers were patched in July 2025. But the company also recommended earlier this month that customers apply the latest critical patch updates without delay. In a move that underscores the urgency, Google provided a checklist for Oracle users: hunt for malicious database templates, restrict outbound internet access, monitor network logs for suspicious activity, and use memory forensics to determine if systems have been compromised.
The scale and audacity of the attack are striking. Google noted that the hackers—operating under the CL0P brand, which established its data leak site in 2020—conducted mass exploitation of Oracle EBS file transfer systems. They stole data and then, weeks later, began their extortion attempts. In September alone, the attackers unleashed a high-volume email campaign, using hundreds or even thousands of compromised third-party accounts. These credentials were likely obtained from stolen password databases circulating on underground forums, according to Google’s analysis.
The emails, which landed in the inboxes of company executives across the globe, claimed that the attackers had breached Oracle EBS systems and made off with sensitive documents. To add credibility—and a dose of fear—the emails included legitimate file listings from victim systems, some dating back to mid-August. The extortion messages threatened that unless a payment was made (details of which were left vague), the stolen data would be released. The emails also provided contact addresses that have been listed on the CL0P site since at least May, further tying the campaign to the well-known cybercrime group.
Despite the chilling threats, Google has not yet observed any victim data from this campaign posted on the CL0P leak site as of October 10, 2025. That doesn’t mean the risk has passed; in previous campaigns, actors have typically waited several weeks before making stolen data public. The uncertainty is palpable—will the attackers follow through, or is this a bluff designed to maximize panic and payouts?
Oracle’s response has been swift but measured. After patching the exploited vulnerabilities in July, the company doubled down on its advice to customers earlier this month: apply the critical updates immediately. Google’s assessment is cautiously optimistic—EBS servers updated with the latest patches are likely no longer vulnerable to the known exploitation methods. Still, the company emphasized vigilance, noting that the attackers’ tactics are constantly evolving.
The broader context only heightens the sense of alarm. As reported by various outlets, including 404 Media and The Guardian, the Oracle hack is just one in a series of high-profile cyberattacks this year. Discord, a popular messaging platform, recently suffered its own breach, with hackers accessing sensitive user data—including selfies, ID documents, and contact details—and attempting to extort the company. It’s a reminder that no digital fortress is truly impregnable, and that attackers are growing bolder and more sophisticated by the day.
For Oracle customers, the message is clear: act now, or risk becoming the next headline. Google’s blog post lays out the steps in stark terms—search for malicious database templates (a favorite tool for attackers looking to maintain access), restrict outbound internet access (to prevent data exfiltration), monitor network logs for any suspicious activity, and use memory forensics to detect traces of compromise. These are not just best practices; they’re essential defenses in an era where cyber extortion is big business.
The CL0P group, which has been linked to several high-profile ransomware and extortion campaigns in recent years, has a reputation for targeting large organizations and demanding hefty ransoms. Their data leak site, established in 2020, serves as both a marketplace for stolen data and a public shaming platform for victims who refuse to pay. The group’s modus operandi typically involves exploiting zero-day vulnerabilities, stealing data en masse, and then launching coordinated extortion efforts weeks later—just as seen in the current Oracle EBS campaign.
One particularly unsettling aspect of this campaign is the use of compromised third-party accounts to send extortion emails. By leveraging credentials from stolen password databases, the attackers can bypass some security controls and make their emails appear more legitimate. It’s a tactic that’s become increasingly common, as cybercriminals trade and sell vast troves of stolen credentials on underground forums.
So far, the full scope of the damage remains unclear. Google’s warning that “over 100 companies may be affected” suggests a wide net, but the true number of compromised organizations could be even higher. The fact that mass exploitation began as early as July, with zero-day vulnerabilities in play, means some victims may still be unaware that their data has been stolen—or that they’re being watched by cybercriminals waiting for the right moment to strike.
What’s next for those affected? The immediate priority is patching vulnerable systems and scouring networks for signs of compromise. But the longer-term challenge is staying ahead of attackers who are constantly probing for new weaknesses. As Google and Oracle have both made clear, timely patching is essential, but so is a culture of security vigilance—monitoring, restricting, and, when necessary, responding quickly to threats as they emerge.
The Oracle EBS campaign is a sobering reminder that even the most trusted business platforms can be targets. With attackers growing more organized and relentless, companies must remain alert, proactive, and ready to respond at a moment’s notice. For now, patched systems appear to be holding strong, but the battle for digital security is far from over.
