Oracle Corporation has disclosed a data breach involving its older Generation 1 servers, marking the second cybersecurity incident reported by the company within weeks.
The breach, initially revealed by a threat actor on Breachforums on March 20, 2025, has raised concerns about Oracle’s ability to secure its legacy systems and safeguard sensitive client data.
Details of the Breach
The attacker, identified as “rose87168,” claimed responsibility for the breach and alleged access to approximately six million data records.
The stolen information includes usernames, email addresses, hashed passwords, and sensitive authentication credentials such as Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) details.
Additionally, the hacker exfiltrated Java Key Store (JKS) files and Enterprise Manager JPS keys, which are critical for encryption and system security.
Oracle confirmed that the compromised data is around 16 months old and emphasized that no complete Personally Identifiable Information (PII) was exposed.
The breach was facilitated by exploiting a 2020 Java vulnerability, enabling the attacker to deploy a web shell and malware targeting Oracle’s Identity Manager (IDM) database.
The attacker reportedly gained access as early as January 2025 and remained undetected until late February, when Oracle initiated an internal investigation.
Threat Actor Profile: “rose87168”
The hacker “rose87168” appears to be a relatively new player in cybercrime circles, with their account created in March 2025.
Their primary motive seems to be financial, as they demanded a $20 million ransom from Oracle.
However, they also expressed interest in exchanging stolen data for zero-day exploits, suggesting broader criminal ambitions.
To substantiate their claims, “rose87168” released proof of stolen data, including sample databases and LDAP credentials.
Security researchers have validated portions of this data, confirming the legitimacy of the breach.
Oracle’s Response
Oracle has taken steps to notify affected clients and reinforce security measures around its Gen 1 servers.
The company assured stakeholders that its Gen 2 servers remain unaffected and denied any compromise of its primary Oracle Cloud infrastructure.
However, cybersecurity firm CybelAngel reported that Oracle privately acknowledged unauthorized access to legacy systems.
In response to this incident, Oracle is conducting a forensic audit and collaborating with law enforcement agencies, such as the FBI and CrowdStrik, to investigate further.
The company has also issued guidelines advising affected clients to reset credentials, monitor for suspicious activity, and implement enhanced security measures.
Broader Implications
This breach follows another recent cybersecurity incident involving Oracle Health’s legacy Cerner servers, where patient data from U.S. healthcare organizations was compromised.
While Oracle maintains that these breaches are unrelated, the timing has drawn scrutiny over its overall security posture.
Experts warn that vulnerabilities in legacy systems like Gen 1 servers could have cascading effects on enterprise security and supply chains if exploited further.
The incident underscores the challenges faced by large enterprises in securing outdated platforms while transitioning to modern cloud infrastructure.
As investigations continue, this breach serves as a stark reminder of the evolving threats in today’s cybersecurity landscape.
Organizations relying on legacy systems are urged to prioritize updates and migration to mitigate risks effectively.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=The breach, initially revealed by a threat actor on Breachforums on March 20, 2025, has raised concerns about Oracle’s ability to secure its legacy systems and safeguard sensitive client data.){kind=link}