Oracle Corporation has recently acknowledged a security breach involving unauthorized access to one of its legacy computer systems, resulting in the theft of client login credentials. This incident marks the second cybersecurity event disclosed by Oracle in recent months, following initial public denials.
Details of the Breach
In communications with select clients, Oracle revealed that attackers infiltrated a legacy environment, compromising authentication data such as usernames, passkeys, and encrypted passwords. The Federal Bureau of Investigation (FBI) and cybersecurity firm CrowdStrike have been engaged to investigate the breach. ([reuters.com](https://www.reuters.com/technology/cybersecurity/oracle-tells-clients-second-recent-hack-log-in-data-stolen-bloomberg-news-2025-04-02/?utm_source=openai))
The threat actor, identified by the alias ‘rose87168,’ initially demanded a $20 million extortion payment before attempting to sell the stolen data on hacking forums. Reports indicate that the attacker deployed a web shell and malware targeting Oracle’s Identity Manager (IDM) database as early as January 2025. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/oracle-denies-data-breach-after-hacker-claims-theft-of-6-million-data-records/?utm_source=openai))
Oracle’s Response and Public Statements
Oracle’s recent acknowledgment contrasts with its earlier public statements denying any breach. In March, when reports emerged of a threat actor claiming to sell 6 million data records allegedly stolen from Oracle Cloud infrastructure, the company stated: There has been no breach of Oracle Cloud. The published credentials are not for Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/oracle-denies-data-breach-after-hacker-claims-theft-of-6-million-data-records/?utm_source=openai))
Security researchers have criticized Oracle’s response, suggesting the company is engaging in wordplay by rebranding the compromised systems as Oracle Classic to maintain their claim that Oracle Cloud wasn’t breached. Cybersecurity expert Kevin Beaumont noted, Oracle rebadged old Oracle Cloud services to be Oracle Classic. Oracle Classic has the security incident. Oracle is denying it on ‘Oracle Cloud’ by using this scope — but it’s still Oracle cloud services that Oracle manage. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/oracle-denies-data-breach-after-hacker-claims-theft-of-6-million-data-records/?utm_source=openai))
Implications for Clients and Cloud Security
While Oracle attempts to downplay the severity by claiming the compromised system hasn’t been used in eight years, sources contradict this assertion, revealing that stolen data included credentials from as recently as 2024. This discrepancy raises concerns about the security of client data and the effectiveness of Oracle’s legacy system management. ([reuters.com](https://www.reuters.com/technology/cybersecurity/oracle-tells-clients-second-recent-hack-log-in-data-stolen-bloomberg-news-2025-04-02/?utm_source=openai))
This incident is separate from another breach Oracle disclosed to healthcare customers last month. In that attack, hackers infiltrated legacy Cerner data migration servers after January 22, 2025, using compromised customer credentials to steal patient information from multiple U.S. healthcare organizations. ([reuters.com](https://www.reuters.com/technology/fbi-investigating-cyberattack-oracle-bloomberg-news-reports-2025-03-28/?utm_source=openai))
The company’s handling of these security incidents has already sparked legal consequences. A class-action lawsuit filed in the U.S. District Court for the Western District of Texas accuses Oracle of failing to secure private information and concealing the breach from affected users beyond the required 60-day notification window. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/oracle-denies-data-breach-after-hacker-claims-theft-of-6-million-data-records/?utm_source=openai))
Security experts warn that these breaches fundamentally undermine cloud security assumptions. Sunil Varkey, advisor at Beagle Security, stated, Cloud customers were engaged on a bedrock security promise: tenant isolation and segregation contain breaches. However, a single hack reportedly exposed 6 million records across 140,000 tenants… shattering that illusion. ([csoonline.com](https://www.csoonline.com/article/3852643/oracle-cloud-breach-may-impact-140000-enterprise-customers.html?utm_source=openai))
Recommendations for Clients
In light of these developments, clients are advised to:
– Change All Passwords Immediately: Update all login credentials for Oracle Cloud accounts and related services.
– Enforce Strong Password Policies: Implement complex passwords to reduce the risk of brute-force attacks.
– Enable Multi-Factor Authentication (MFA): Add an extra layer of security to account access.
– Monitor Account Activity: Regularly review account logs for any unauthorized access or suspicious activity.
– Stay Informed: Keep abreast of Oracle’s communications regarding security updates and patches.
As investigations continue, Oracle has yet to make a public statement acknowledging either breach, maintaining its pattern of private disclosures to affected customers while publicly remaining silent on the incidents.
