Oracle has confirmed that attackers breached a legacy environment last active in 2017, stealing outdated client credentials. The company quietly informed affected customers while minimising the significance of the security incident.
According to cybersecurity company CybelAngel, Oracle disclosed that an unauthorised entity gained access to its Generation 1 (Oracle Cloud Classic) servers as early as January 2025.
The attackers used a 2020 Java vulnerability to install a web shell and other malware, allowing unauthorised access to sensitive data. Though the breach was initially reported on Breachforums on 20 March 2025, it is believed that the unauthorised access was first detected in late February.
It is claimed that during the incident, user emails, hashed passwords, and usernames were compromised due to data exfiltration from the Oracle Identity Manager (IDM) database. The breach has raised concerns about the integrity of Oracle’s cloud infrastructure and its capability to protect vital client information.
A threat actor known as rose87168 has also allegedly offered six million documents for sale, including samples of a stolen database, LDAP information, and a list of organisations taken from Oracle Cloud’s pooled SSO login servers.
Rose87168 released 10,000 customer records available, along with an internal video showing the intrusion and a file containing user passwords and Oracle Cloud access data. Company has denied any breach, despite evidence from an archived URL showing that the attacker had uploaded a file containing their email address to one of Oracle’s servers.
Oracle Denies Breach Despite Mounting Evidence and Expert Validation
Several cybersecurity firms have confirmed that the leaked customer data appears authentic and was taken from a production environment. Notably, Phishing Tackle and other sources have received confirmation from some Oracle Cloud customers that their records were included in the leak.
Following the initial leak, multiple companies received further samples of the data, which included LDAP display names, email addresses, given names, and other identifying details, and subsequently verified their authenticity. One of the URLs linked to the data breach was later removed from Archive.org, although an archived version of the archive still exists.
Oracle has notified customers that the breach involves a legacy environment that has not been used in eight years, according to sources speaking to Bloomberg. Additionally, the company maintains that the compromised information poses minimal risk.
However, according to another source, some of the compromised credentials date back to as recently as 2024, indicating a mixture of both old and more recent data. Researchers from cybersecurity firm Trustwave Holdings Inc. have validated that the data posted for sale online was directly extracted from Oracle.
Karl Sigler, Trustwave SpiderLabs Threat Intelligence’s senior security research manager, described the stolen data as a “rich dataset” that could allow hackers to send phishing emails and potentially hijack user accounts.
This incident has raised objections of Oracle’s security measures, particularly considering a recent hack affecting the Health division’s old Cerner servers, which exposed patient data from US healthcare organisations.
Oracle’s response to these breaches highlights the continuous challenges significant companies have protecting legacy systems as they switch to more modern platforms. The incident serves as a critical reminder for organisations to maintain robust cybersecurity protocols, especially when managing legacy systems.
Has your organisation started to increase cyber security measures yet? Start your two-week free trial today.
