Oracle Confirms Cloud Was Compromised After Denying Intrusion Affecting Six Million Records

Last month, numerous reports surfaced about Oracle being hit with a hack in which its public cloud offering was compromised, resulting in stolen information.

“There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data,” said an Oracle spokesperson.

This is despite a hacker with the moniker “rose87168” publishing a message on BreachForums on March 20, claiming to have stolen data of around six million security credentials across 140,000 companies. The data consisted of JKS files (Java KeyStore), passwords, key files, and enterprise manager JPS files from SSO (Single Sign-On) and LDAP (Lightweight Directory Access Protocol).

The hacker also published 10,000 customer records and user credentials, a file showing Oracle Cloud access, and a video as proof. rose87168 also created a text file with their email address on an Oracle Cloud login server, specifically login.us2.oraclecloud.com.

While the archived page captured by the Internet Archive's Wayback Machine has been removed (possibly on the behest of Oracle), the archive of the archive remains available at the time of writing.

rose87168 wrote, “The SSO passwords are encrypted, they can be decrypted with the available files. Also, LDAP-hashed passwords can be cracked. (I couldn't do it, but if someone can tell me how to decrypt them, I can give them some of the data as a gift.)”

However, before selling the information, the “Good Samaritan” offered affected businesses a chance to protect their data from being leaked. “I'll list the domains of all the companies in this leak. Companies can pay a specific amount to remove their employees' information from the list before it's sold,” rose87168 offered.

Furthermore, the miscreant was open to communicating with the leaky cloud provider, “Oracle can send me a message through the company's official email to my email with 72H (we talk before).”

The hacker initially wanted to extort Oracle for $20 million in cryptocurrency a month before publishing, a move that came to no avail. Eventually, rose87168 flipped and was open to selling the data or trading it for zero-day exploits.


Still, Oracle had vehemently denied being breached.

That was until reports began emerging that the company was notifying its customers on the down-low. Some of Oracle’s customers have been notified that a hacker broke into its systems and stole old client login credentials.

The company’s staff informed customers that the miscreant accessed usernames, passkeys, and encrypted passwords, according to two sources familiar with the matter, who spoke on the condition of anonymity.

According to Oracle, the breach took place on an old server that stored eight-year-old data, meaning that the credentials were most likely dated.

However, a customer noted that login data as recent as 2024 was taken. Also, it’s said that rose87168 posted newer records from 2025.

Although Oracle hasn’t explicitly lied about no data breach hitting Oracle Cloud, as the company claims the breach impacted Oracle Cloud Classic.

“Oracle rebadged old Oracle Cloud services to be Oracle Classic. Oracle Classic has the security incident. Oracle are denying it on 'Oracle Cloud' by using this scope—but it’s still Oracle cloud services that Oracle manage. That’s part of the wordplay,” said cybersecurity expert Kevin Beaumont.

Other information security experts who analyzed samples of the stolen data also confirmed that Oracle's Cloud Classic product was hit. The belief is that the miscreant got in by exploiting Oracle servers that weren’t patched against CVE-2021-35587—a vulnerability in Oracle Access Manager. This means that Oracle failed to patch a hole in its own software on its own systems.

#Embarrassing

As such, Oracle has contacted the FBI and cybersecurity firm CrowdStrike to investigate the matter.

Oracle, the FBI, and CrowdStrike refused to provide a comment.

Meanwhile, the company has been a part of another cybersecurity incident—one affecting Oracle Health.

The Oracle Health Hack

This particular company was formed when Oracle acquired healthcare firm Cerner in 2022 for $28.3 billion.

The breach, which affects multiple US healthcare organizations and hospitals, hasn’t been publicly disclosed by the company. #NoSurprise

However, the company has issued private communications to impacted customers, notifying them that patient data has been stolen. The notification wasn’t put on an official letterhead but was signed by Oracle Health’s Executive VP President & GM, Seema Verma.

“We are writing to inform you that, on or around February 20, 2025, we became aware of a cybersecurity event involving unauthorized access to some amount of your Cerner data that was on an old legacy server not yet migrated to the Oracle Cloud,” read the notification informing customers.

As per Oracle Health, the threat actor copied data to a remote server after gaining access sometime after January 22, 2025.

On one hand, it’s believed that the hacker—who goes by the name “Andrew”—is demanding millions of dollars in cryptocurrency, having created websites to pressure the hospitals into paying. On the other hand, Oracle Health has told hospitals it won’t notify patients directly, and the hospitals will have to decide if the data stolen violates HIPAA laws.

Do you think cloud platforms such as Oracle should be held to stricter standards, especially considering the sensitive nature of customer data that can be compromised?

Let us know in the comments below!