Oracle has disclosed a data breach affecting its older Generation 1 servers, marking it the second cybersecurity incident reported by the company in recent weeks. After initially denying the incident, the multinational technology company headquartered in Austin, Texas acknowledged to some clients that attackers stole old client credentials after breaching a "legacy environment" last used in 2017.
Oracle has informed it's customers that cybersecurity firm CrowdStrike and the FBI are now investigating the incident.
Oracle Cloud Breach Details:
Cybersecurity firm CybelAngel first revealed that Oracle told customers an attacker had gained access to the company's Gen 1 servers (also known as Oracle Cloud Classic) as early as January 2025. The threat actor reportedly exploited a 2020 Java vulnerability to deploy a web shell and additional malware.
The breach, detected in late February, allegedly resulted in the exfiltration of data from the Oracle Identity Manager (IDM) database, including user emails, hashed passwords, and usernames.
On March 20, a threat actor known as rose87168 listed 6 million data records for sale on BreachForums, sharing multiple text files containing a sample database, LDAP information, and a list of affected companies as proof of authenticity. The data was allegedly stolen from Oracle Cloud's federated SSO login servers.
The compromised data reportedly includes usernames, email addresses, hashed passwords, and authentication credentials such as Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) information.
Additionally, the attacker exfiltrated Java Key Store (JKS) files and Enterprise Manager JPS keys. While no complete Personally Identifiable Information (PII) was exposed, Oracle confirmed that the stolen data is approximately 16 months old.
The breach was d using a 2020 Java exploit, which enabled the attacker to deploy a web shell and malware targeting Oracle’s Identity Manager (IDM) database. The hacker reportedly accessed the system as early as January 2025, remaining undetected until late February, when Oracle initiated an internal investigation.
Oracle has since informed affected clients and bolstered security measures for its Gen 1 servers. The company reassured stakeholders that its Generation 2 servers remain unaffected and that its primary Oracle Cloud infrastructure was not breached.
Despite these assurances, cybersecurity firm CybelAngel reported that Oracle privately acknowledged the breach and confirmed unauthorized access to legacy systems.
Threat Actor: "rose87168"
The hacker "rose87168" appears to be a relatively new figure in cybercrime, having d their account in March 2025. Their primary motivation seems financial, as they demanded a $20 million ransom from Oracle. However, they also indicated an interest in exchanging stolen data for zero-day exploits, suggesting broader malicious intent.
To substantiate their claims, the threat actor released proof of stolen data, including sample databases and LDAP credentials. Security researchers have verified portions of this data, further confirming the breach.
Oracle continued to deny the incident and according to Cybersecurity expert Kevin Beaumont the tech giant attempted to hide the incident from its clients
Oracle maintained this stance even after an archived URL showed that the threat actor had uploaded a file containing their email address to an Oracle server. While the URL was later removed from Archive.org, an archive of the archive still exists.
It was later confirmed with multiple companies that additional leaked data samples—including LDAP display names, email addresses, and other identifying details—were valid.
Oracle has consistently denied reports of a breach in its current cloud services, stating that the incident only affected the older Oracle Cloud Classic platform. Kevin Beaumont noted:
"Oracle rebadged old Oracle Cloud services to be Oracle Classic. Oracle Classic has the security incident. Oracle is denying it on 'Oracle Cloud' by using this scope—but it’s still Oracle cloud services that Oracle manages. That’s part of the wordplay." Kevin Beaumont
This breach follows another recent cybersecurity incident involving Oracle Health’s legacy Cerner servers, where patient data from U.S. healthcare organizations was compromised. While Oracle maintains that the two incidents are unrelated, their close timing has led to increased scrutiny of the company's overall security posture.
The breach was detected on February 20, 2025, and attackers reportedly used compromised customer credentials to gain access to legacy Cerner data migration servers sometime after January 22, 2025.
Sources indicate that affected hospitals are now being extorted by a threat actor known as "Andrew," who has not claimed affiliation with any ransomware or extortion groups. The attacker is demanding millions in cryptocurrency to prevent the data from being leaked or sold, even creating public websites to pressure hospitals into paying the ransom.
The Gen 1 server breach underscores vulnerabilities in older systems that have yet to be fully transitioned to modern cloud infrastructure. Experts warn that if similar weaknesses are exploited, such incidents could pose significant risks to enterprise security and supply chains.
Oracle’s response highlights the challenges large enterprises face in securing legacy systems while shifting to newer platforms. As investigations continue, affected clients are advised to reset credentials, monitor for suspicious activity, and implement additional security measures.
Resource: https://www.linkedin.com/pulse/oracle-confirms-major-data-breach-the-cyber-security-hub-bnnde
