Oracle Corp. has confirmed to its clients that a significant cybersecurity breach has occurred, resulting in the theft of old client login credentials. This acknowledgment comes after weeks of public denials and represents the second cybersecurity incident the company has disclosed to customers in recent months.
Staff members at Oracle informed select clients on April 9, 2025, that attackers had compromised a "legacy environment," gaining unauthorized access to sensitive authentication data, including usernames, passkeys, and encrypted passwords. This alarming breach has prompted the involvement of the FBI and cybersecurity firm CrowdStrike to investigate the incident thoroughly.
The breach first came to light in March 2025 when reports emerged that a threat actor was attempting to sell 6 million data records allegedly stolen from Oracle Cloud infrastructure. At that time, Oracle firmly denied any breach, stating, "There has been no breach of Oracle Cloud. Application Security is no longer just a defensive play." They further emphasized, "The published credentials are not for Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data." However, security experts have criticized Oracle’s response, suggesting that the company is engaging in "wordplay" by rebranding compromised systems as "Oracle Classic" to maintain its claim that "Oracle Cloud" was not breached.
Cybersecurity expert Kevin Beaumont noted, "Oracle rebadged old Oracle Cloud services to be Oracle Classic. Oracle Classic has the security incident. Oracle is denying it on 'Oracle Cloud' by using this scope—but it’s still Oracle cloud services that Oracle manages." Despite Oracle's attempts to downplay the severity of the situation by claiming that the compromised system hasn't been used in eight years, sources have revealed that stolen data included credentials from as recently as 2024.
The threat actor, who goes by the moniker 'rose87168', initially demanded a staggering $20 million extortion payment. Following this, the hacker offered to sell the data on various hacking forums. Reports indicate that after gaining initial access, the attacker deployed a webshell and malware specifically targeting Oracle’s Identity Manager (IDM) database as early as January 2025.
This incident is separate from another breach Oracle disclosed to healthcare customers last month, where hackers infiltrated legacy Cerner data migration servers after January 22, 2025. They used compromised customer credentials to steal patient information from multiple U.S. healthcare organizations.
The fallout from these breaches has already led to legal consequences for Oracle. A class action lawsuit filed in the U.S. District Court for the Western District of Texas accuses the company of failing to secure private information and concealing the breach from affected users beyond the required 60-day notification window.
Security experts are warning that these breaches fundamentally undermine the assumptions surrounding cloud security. Sunil Varkey, an advisor at Beagle Security, stated, "Cloud customers were engaged on a bedrock security promise: tenant isolation and segregation contain breaches. However, a single hack reportedly exposed 6 million records across 140,000 tenants… shattering that illusion." As investigations continue, Oracle has yet to make a public statement acknowledging either breach, maintaining its pattern of private disclosures to affected customers while remaining silent publicly on the incidents.
In light of this troubling pattern, the recent breach raises significant concerns about the effectiveness of Oracle's security infrastructure and its ability to defend against persistent threats in the digital landscape. Customers have expressed frustration over the lack of transparency regarding how the breach occurred, the scope of the affected data, and what Oracle is doing to prevent future intrusions.
Oracle's clientele spans various industries, including finance, healthcare, retail, and manufacturing, with many relying on its cloud services and enterprise databases to manage critical business operations. A breach of this nature serves as a stark reminder for companies across sectors to re-evaluate their own security measures and demand greater accountability from service providers.
Cybersecurity analysts emphasize the importance of encrypted password management and the use of multi-factor authentication (MFA) to protect sensitive information. Some experts argue that Oracle should have decommissioned stale client credentials earlier to reduce the risk of exposure in the event of system vulnerability.
While Oracle has yet to issue a comprehensive public statement about the breach, the company is reportedly working with cybersecurity specialists to investigate the incident and implement stronger safeguards. In the meantime, affected customers are urged to monitor their accounts for unusual activity and consider additional security measures to protect their data.
As Oracle navigates the fallout from its second breach in a month, this incident serves as a wake-up call for businesses to prioritize cybersecurity at every level. The escalating sophistication of cybercriminals and the vulnerabilities within even the most robust corporate networks highlight the critical need for vigilance and proactive measures in protecting sensitive information.
