Oracle Corporation has privately confirmed to select customers that hackers breached a “legacy” computer system and stole client login credentials, following weeks of public denials about any security incidents.
This acknowledgment represents a significant reversal from their previous position and marks the second cybersecurity incident disclosed to clients in recent months.
Breach Details and Investigation
According to Bloomberg reports, Oracle staff informed certain clients this week that attackers compromised what they described as a “legacy environment,” gaining unauthorized access to authentication data, including usernames, passkeys, and encrypted passwords.
The FBI and cybersecurity firm CrowdStrike have been called in to investigate the incident.
Cybersecurity firm CybelAngel revealed that Oracle disclosed to clients that attackers breached their Gen 1 (Oracle Cloud Classic) servers as early as January 2025, exploiting a 2020 Java vulnerability to install a web shell and additional malware.
The breach, discovered in late February, involved the theft of data from Oracle Identity Manager (IDM), including user emails, usernames, and hashed passwords.
Oracle’s Denial Strategy
This confirmation marks a stark contrast to Oracle’s previous public statements categorically denying any breach.
When reports emerged in March about a threat actor attempting to sell 6 million data records allegedly stolen from Oracle Cloud infrastructure, the company insisted: “There has been no breach of Oracle Cloud.
The published credentials are not for Oracle Cloud.
No Oracle Cloud customers experienced a breach or lost any data.
Security researchers have criticized Oracle’s response, suggesting the company engaged in “wordplay” by rebranding the compromised systems as “Oracle Classic” to maintain their claim that “Oracle Cloud” wasn’t breached.
Cybersecurity expert Kevin Beaumont noted, “Oracle rebadged old Oracle Cloud services to be Oracle Classic. Oracle Classic has the security incident”.
Threat Actor and Data Exposure
The breach first came to public attention when a malicious actor using the alias “rose87168” offered 6 million stolen data records for sale on BreachForums in March.
The seller provided sample files containing database content, LDAP information, and a client list as evidence, claiming they were stolen from Oracle Cloud’s federated SSO login servers.
According to cybersecurity firm CloudSEK, the breach endangered over 140,000 tenants.
The stolen data reportedly includes critical assets such as JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys.
Contradicting Claims About Data Age
While Oracle has attempted to downplay the severity by claiming the compromised system hasn’t been active for eight years and that stolen credentials are no longer current, evidence contradicts this assertion.
The hackers have posted records from 2025 on a hacking forum, and researchers have confirmed data from late 2024 was also compromised.
Oracle’s handling of these security incidents has drawn criticism from security professionals.
The breach has raised serious questions about cloud security practices and tenant isolation in cloud environments.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=This acknowledgment represents a reversal from their previous position and marks the second cybersecurity incident disclosed to clients in recent months.){kind=link}