The US software company Oracle has admitted to selected customers that attackers have stolen customer access data after compromising a “legacy environment”. This was reported by Bloomberg.
While Oracle informed the affected customers that the data was non-critical legacy data, research by BleepingComputer shows a different picture: The actor behind the attack shared data records from the end of 2024 with the IT security portal. In addition, newer data records from 2025 were published in a hacker forum.
Details of the attack
Cybersecurity firm CybelAngel first revealed that Oracle informed customers about an attacker who had gained access to Oracle Gen 1 servers (also known as Oracle Cloud Classic) since January 2025. A Java vulnerability from 2020 was used to install a web shell and other malware.
During the intrusion, which was discovered in late February, the attacker allegedly exfiltrated data from the Oracle Identity Manager (IDM) database, including email addresses, hashed passwords and usernames.
An actor with the pseudonym “rose87168” offered six million data records for sale on the BreachForums platform on March 20. As proof of the authenticity of the data, the attacker published several text files with sample databases, LDAP information and company lists – all allegedly stolen from Oracle’s federated SSO login infrastructure.
Oracle’s denial
When asked about the authenticity of the leaked data, Oracle told BleepingComputer: “There was no intrusion into the Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers have experienced a breach or lost data.”
Oracle denied the allegations even after an archived URL showed that the attacker had uploaded a file with his email address to an Oracle server. This URL was later removed from Archive.org, but an archive of the archive still exists.
A few days later, however, several companies confirmed that additional examples of the leaked data (including associated LDAP display names, email addresses, first names and other identifiers) were valid from the attacker.
Oracle’s play on words with “Cloud Classic”
Oracle has consistently denied reports of an Oracle Cloud breach in public statements since the incident came to light. “Oracle has rebranded legacy Oracle Cloud services as Oracle Classic. Oracle Classic has the security incident,” confirmed cybersecurity expert Kevin Beaumont in a post on medium.com. “Oracle rebadged old Oracle Cloud services to be Oracle Classic,” he writes. “Oracle Classic has the security incident. Oracle are denying it on “Oracle Cloud” by using this scope — but it’s still Oracle cloud services that Oracle manage. Oracle are attempting to wordsmith statements around Oracle Cloud and use very specific words to avoid responsibility.” Good crisis communication is truly different.
Second incident: break-in at Oracle Health
Last week, Oracle also informed customers about a breach at the Software-as-a-Service (SaaS) company Oracle Health (formerly Cerner), which affected several US healthcare organizations and hospitals.
Although the company has not publicly disclosed this incident, it has been confirmed that patient data was stolen in the attack. This is based on private communications between Oracle Health and affected customers and conversations with those involved.
Oracle Health said it discovered the intrusion into Cerner’s legacy data migration servers on February 20, 2025. The attackers would have used compromised customer credentials to penetrate the servers after January 22, 2025.