Oracle Privately Notifies Customers of Cloud Data Breach

Oracle confirms a data breach tied to a legacy system, denying impact on Oracle Cloud.

Oracle acknowledged a data breach, began notifying customers, and minimized the incident's impact. Under the alias "rose87168," a threat actor asserted that it had millions of data lines connected to more than 140,000 Oracle Cloud tenants, including encrypted login passwords.

As evidence of the intrusion, the hacker released 10,000 customer records, an internal video, and a file containing user credentials and Oracle Cloud access.

The hacker changed course and offered the stolen material for sale or in exchange for zero-day exploits after first attempting to extort Oracle for $20 million. Serious questions have been raised by the incident regarding Oracle's cloud infrastructure security and the possible repercussions for impacted clients.

Oracle refuted the threat actor's allegations, claiming that there was no Oracle Cloud breach and that the compromised credentials had nothing to do with it. The business guaranteed that no client information had been compromised.

According to BleepingComputer, several businesses verified the authenticity of the leaked Oracle data, including correct LDAP names, emails, and other identifiers. The hacker shared emails with Oracle, including one from a ProtonMail account purportedly connected to Oracle, and claimed complete access to data on 6 million customers. Additionally, the infected server was running a vulnerable version of Oracle Fusion Middleware, according to cybersecurity firm Cloudsek.

Customers are being discreetly notified by Oracle of a compromise that has affected encrypted passwords, passkeys, and usernames. The FBI and CrowdStrike are looking into the matter. According to researcher Kevin Beaumont, cloud users have only received verbal breach warnings from Oracle; no written correspondence has been sent.