Oracle has acknowledged to customers that hackers recently breached a dormant “legacy” system and stole outdated login credentials. According to Bloomberg, the compromised environment hasn’t been active for eight years, and the stolen credentials are no longer current.
Oracle was quick to assure clients that the compromised data was outdated and non-sensitive, but evidence suggests otherwise—the hackers have posted even more recent records from 2025 on a hacking forum.
Oracle has brought in CrowdStrike and the FBI to investigate the incident.
According to cybersecurity firm CybelAngel, Oracle disclosed to clients that attackers breached their Gen 1 (Oracle Cloud Classic) servers as early as January of this year, exploiting a 2020 Java vulnerability to install a web shell and other malware.
Breach details and timeline
The breach, discovered back in February, apparently involved the theft of data from Oracle Identity Manager (IDM), including user emails, usernames, and hashed passwords.
This breach discovery follows an incident in March when a malicious actor using the alias “rose87168” offered 6 million stolen data records for sale on BreachForums. The seller provided sample files containing database content, LDAP information, and a client list as evidence, claiming they were stolen from Oracle Cloud’s federated SSO login servers.
Around the same time, BleepingComputer reported that a hacker claimed to have stolen data from Oracle Cloud servers. Oracle consistently denied any cloud breach in statements to the press, stating, “There has been no breach of Oracle Cloud. The published credentials are not for Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”
According to Bloomberg, Oracle notified an undisclosed number of customers about the breach this week.
Careful wording and continued denials
The hackers reportedly stole credential data, including usernames, passkeys, and encrypted passwords.
Oracle continued to deny the breach even after evidence emerged showing the hacker had uploaded a file containing their email address to one of Oracle’s servers. This URL was later removed from Archive.org (though an archive of the archive still exists).
Oracle has consistently denied reports of an Oracle Cloud breach in its press statements since the incident came to light. This statement is technically accurate, as Oracle informs customers that the breach affected an older platform called Oracle Cloud Classic.
“Oracle rebadged old Oracle Cloud services to be Oracle Classic. Oracle Classic has the security incident,” cybersecurity expert Kevin Beaumont said this week. “Oracle are denying it on ‘Oracle Cloud’ by using this scope—but it’s still Oracle cloud services that Oracle manage. That’s part of the wordplay.”
Discover security articles covering topics like how to protect systems, networks, and data from cyber threats through measures via encryption, firewalls, and access controls. We provide expert insights into ensuring confidentiality, integrity, and availability of information.