Oracle’s cloud systems recently faced a significant security breach, which the company initially denied. Eventually, Oracle confirmed the breach privately to impacted customers. A hacker, known as ‘rose87168’, attempted to extort $20 million from Oracle. The hacker then offered to sell the stolen data or trade it for zero-day exploits. Oracle initially claimed there was no breach, but the hacker provided evidence, including customer data samples and internal meetings, proving otherwise.
Cybersecurity firms and experts verified the authenticity of the leaked information, noting its link to a production environment. Despite public denials, Oracle admitted privately to customers that usernames, passkeys, and encrypted passwords were compromised. Bloomberg revealed the breach involved a legacy environment not in use for eight years, though some credentials are as recent as 2024.
CyberAngel identified the affected ‘Gen 1’ cloud servers, with compromised information dating back at least 16 months. The hacker exploited a 2020 Java vulnerability to install a web shell and malware, targeting the Oracle IDM database. Oracle became aware of the breach in late February and removed the attacker after the initial ransom demand in March.
Kevin Beaumont criticized Oracle for verbal-only communications with affected customers and urged the company to provide transparent public statements. Additionally, reports of a separate Oracle Health data breach affecting patients’ information from multiple US healthcare organizations have surfaced. The FBI and CrowdStrike are investigating this breach.
Overall, cybersecurity experts agree that Oracle needs to disclose the full scope of the breach and the protective measures it will implement. Transparency and accountability are essential for maintaining customer trust and mitigating the impacts of such significant security incidents.
