Massive Oracle E-business suite hack targets Harvard, Envoy, and Washington post, exploiting zero-day vulnerability for data theft.

The Harvard University and American Airlines-owned carrier Envoy, which announced similar breaches last month, and the Washington Post are two of the businesses affected by a massive cybercrime campaign that targeted Oracle's business software.

The Washington Post did not specify what data, if any, was lost. But the announcement follows a warning from Google's Mandiant team that it had been tracking a new, major extortion campaign from the Clop ransomware gang. The scammers sent a high volume of emails to executives at numerous organizations, suggesting the theft of sensitive data from the victims' Oracle E-Business Suite (EBS) environments.

Oracle adds that the vulnerability is remotely exploitable without authentication, which means it may be used over a network without the need for a username and password. This vulnerability could lead to remote code execution if it is successfully used.

Last month, Google revealed that Clop had taken advantage of zero-day vulnerability against Oracle EBS users weeks before a patch was available, with additional suspicious activity going back to July 10, 2025, and that in some cases, the threat actor successfully took quite a bit of data from impacted organizations.