Oracle Cloud Data Breach: Quiet Disclosure to Customers Amid Security Concerns
TL;DR
Oracle has confirmed a data breach affecting its cloud services, impacting over 140,000 tenants. The hacker, known as ‘rose87168’, claims to have accessed millions of data lines, including encrypted credentials. Oracle has downplayed the incident, asserting that no customer data was compromised. However, multiple companies have verified the authenticity of the leaked data, raising concerns about Oracle’s transparency and security measures.
Oracle Cloud Data Breach: What Happened?
Oracle has acknowledged a data breach affecting its cloud services, notifying customers while attempting to minimize the impact of the security incident. The breach was initially brought to light by a threat actor using the moniker ‘rose87168’, who claimed to possess millions of data lines tied to over 140,000 Oracle Cloud tenants, including encrypted credentials.
Hacker’s Actions and Claims
The hacker published 10,000 customer records, a file showing Oracle Cloud access, user credentials, and an internal video as proof of the hack. Initially, ‘rose87168’ attempted to extort Oracle for $20 million but later offered the stolen data for sale or in exchange for zero-day exploits. This incident has sparked serious concerns about the security of Oracle’s cloud infrastructure and the potential implications for affected customers.
Oracle’s Response
Oracle has denied the threat actor’s claims, stating that there was no breach of Oracle Cloud and that the leaked credentials were unrelated. The company assured that no customer data was compromised1.
“There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”
However, BleepingComputer reported that multiple companies confirmed the leaked Oracle data as authentic, including accurate LDAP names, emails, and other identifiers. The hacker claimed full access to data on 6 million users and shared emails with Oracle, including one from a ProtonMail address allegedly tied to Oracle. Cybersecurity firm Cloudsek also noted that a vulnerable Oracle Fusion Middleware version was running on the compromised server. Oracle has since taken the server offline2.
Investigation and Notifications
Oracle is privately notifying customers of a breach affecting usernames, passkeys, and encrypted passwords, with the FBI and CrowdStrike investigating the incident. Researcher Kevin Beaumont said that Oracle has only issued verbal breach notifications to cloud customers, with no written communication provided3.
Bloomberg reported that Oracle Corp. has told customers that a hacker broke into a computer system and stole old client log-in credentials, according to two people familiar with the matter. It’s the second cybersecurity breach that the software company has acknowledged to clients in the last month4.
Criticism and Transparency Issues
Critics have pointed out that Oracle is attempting to downplay the incident by using specific wording to avoid responsibility. Kevin Beaumont wrote:
“Oracle needs to clearly, openly, and publicly communicate what happened, how it impacts customers, and what they’re doing about it. This is a matter of trust and responsibility. Step up, Oracle — or customers should start stepping off.”5
Beaumont also provided updates indicating that Oracle rebadged old Oracle Cloud services to be Oracle Classic, which experienced the security incident. Oracle is denying the breach on “Oracle Cloud” by using this scope, but it’s still Oracle cloud services that Oracle manages6.
Conclusion
The Oracle Cloud data breach highlights the critical need for transparency and effective communication in handling security incidents. As the investigation continues, customers and the cybersecurity community await clearer insights and actions from Oracle to address the breach and prevent future incidents.
For more details, visit the full article: source
Additional Resources
For further insights, check:
- BleepingComputer Report
- Cloudsek Analysis
- SecurityWeek Article
- Bloomberg Report
- DoublePulsar Commentary
References
- 
      Oracle (2025). “Oracle Cloud Data Breach Statement”. Security Affairs. Retrieved 2025-04-06. ↩︎ 
- 
      BleepingComputer (2025). “Oracle Privately Confirms Cloud Breach to Customers”. BleepingComputer. Retrieved 2025-04-06. ↩︎ 
- 
      Kevin Beaumont (2025). “Oracle Confirms Cloud Hack”. SecurityWeek. Retrieved 2025-04-06. ↩︎ 
- 
      Bloomberg (2025). “Oracle Tells Clients of Second Recent Cybersecurity Breach”. Bloomberg. Retrieved 2025-04-06. ↩︎ 
- 
      Kevin Beaumont (2025). “Oracle Attempt to Hide Serious Cybersecurity Incident from Customers in Oracle SaaS Service”. DoublePulsar. Retrieved 2025-04-06. ↩︎ 
- 
      Kevin Beaumont (2025). “Update on Oracle Cloud Data Breach”. DoublePulsar. Retrieved 2025-04-06. ↩︎ 
