Oracle says "obsolete servers" hacked, denies cloud breach

security
(Image credit: Shutterstock / binarydesign)

  • Oracle had started sending out data breach notification letters
  • In the letters, it downplays the significance of recent attacks
  • However not everyone agrees with that assessment

We now apparently have confirmation that Oracle has been notifying its customers about a recent data breach - but the company is still standing its ground and saying it was an irrelevant attack that will make no difference whatsoever.

In early April 2025, a threat actor with the alias “rose87168” opened a new thread on an underground forum to advertise the sale of a database stolen from the company. The database allegedly contained six million records, including private security keys, encrypted credentials, and LDAP entries, all belonging to Oracle customers.

To confirm the authenticity of the information, the hacker even uploaded a new document to the cloud, containing their own email address.

Monitor your credit score with TransUnion starting at $29.95/month

Monitor your credit score with TransUnion starting at $29.95/month

TransUnion is a credit monitoring service that helps you stay on top of your financial health. With real-time alerts, credit score tracking, and identity theft protection, it ensures you never miss important changes. You'll benefit from a customizable online interface with clear insights into your credit profile. Businesses also benefit from TransUnion’s advanced risk assessment tools.

Preferred partner (What does this mean?)

Oracle denies severity

Oracle first denied, and later confirmed the breach, but said it was a pointless attack since the servers were old and unused, and the data contained within was outdated.

Now, BleepingComputer reports that email notification letters started going out: "Oracle would like to state unequivocally that the Oracle Cloud—also known as Oracle Cloud Infrastructure or OCI—has NOT experienced a security breach," the letter allegedly reads.

"No OCI customer environment has been penetrated. No OCI customer data has been viewed or stolen. No OCI service has been interrupted or compromised in any way," it added in emails sent from replies@oracle-mail.com, prompting customers to contact Oracle Support or their account manager if they have additional questions.

"A hacker did access and publish user names from two obsolete servers that were never a part of OCI. The hacker did not expose usable passwords because the passwords on those two servers were either encrypted and/or hashed. Therefore the hacker was not able to access any customer environments or customer data."

A report from The Register claims the data belonging to one of the victims was created in 2024. The investigation is currently ongoing but so far it seems that the attacker exploited a vulnerability in Oracle Access Manager to breach Oracle-hosted servers.

Cybersecurity experts CrowdStrike are currently analyzing the incident. The FBI was also notified about the attack, Oracle has confirmed.

Via BleepingComputer

You might also like

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.