Skip to content

Oracle quietly confirms cloud data breach to select customers

  • by
  • 3 min read

After initially denying the breach of any of its systems, Oracle has started privately informing some of its customers of a data breach affecting usernames, passkeys, and encrypted passwords. The notifications come in response to a hacker claiming to sell millions of lines of data (including encrypted credentials) associated with more than 140,000 Oracle Cloud users.

Oracle had denied the breach when the claims first came to light. However, Bloomberg reports the company is now telling customers that the breach included a legacy environment not used in eight years, with the compromised credentials posing little risk. A source claimed that some of the compromised credentials are from 2024.

In response to Oracle’s denial of the hack, the hacker, dubbed “rose87168” released additional information to press their claim further. These include a sample of 10,000 customer data records, user credentials, a link to a file providing access to Oracle cloud systems, and a video seemingly recorded during an internal company meeting. The hacker also claims that some information from 2025 was also compromised.

This is an image of hacked security illustration 11

SecurityWeek reports that several security firms have confirmed that the leaked information seems genuine, with confirmation from some Oracle cloud customers that their data was included in the leak.

The FBI and cybersecurity firm CrowdStrike are reportedly investigating the issue. Another security firm, CyberAngel claims that it has one source confirming that Oracle has “allegedly determined an attacker who was in the shared identity service as early as January 2025.”

CyberAngel’s report also sheds more light on how the attack took place. Allegedly, the hack was carried out via a 2020 Java exploit allowing the hacker to install a webshell with malware. The malware then targets the Oracle IDM database and extracts data. The company has allegedly been aware of the issue since late February 2025 and investigated it internally, removing the threat actor’s access within days after the first ransom demand was made in early March.

Oracle can deny responsibility by carefully constructing its response. Only Gen 1 cloud servers at the company were impacted, with the compromised information being at least 16 months old and without full personal details. Security researcher Kevin Beaumont believes that these Gen 1 servers may be referring to Oracle Classic, a name given ot older Oracle cloud services enabling companies to dodge responsibility.

In the News: Nintendo Switch 2 released: What has improved over 1st-Gen Switch?

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of data breach featured

Legends International suffers data breach affecting employees and venue visitors

This is an image of cyber security hacked breach

Freshly discovered Windows vulnerability already exploited in the wild

This is an image of court featured ss1

Indian consumer courts to accept complaints against WhatsApp

  • by
  • In News
This is an image of discord203947

Discord verifies age with ID and face scans for select users

This is an image of drone 1866742 1280

British soldiers are using radio waves to take down drones

This is an image of cyber security hacked hacking 3889

State-sponsored hackers are increasingly using ClickFix tactics for the first time

>