Oracle Breach Exposes Millions of Stolen Credentials from Legacy Cloud System
Oracle Acknowledges Legacy Cloud Breach but Downplays Impact
Oracle has confirmed to some customers that attackers stole old client credentials after breaching a “legacy environment” last used in 2017. However, leaked data suggests the breach is far more recent than Oracle claims.
While Oracle insists that no sensitive data was compromised, a threat actor known as rose87168 has leaked credentials from late 2024 and 2025, contradicting the company’s statements.
Bloomberg reports that CrowdStrike and the FBI are now investigating the incident, as Oracle faces increasing pressure to clarify the full extent of the breach.
How the Hack Happened: Exploiting a 2020 Java Vulnerability
According to cybersecurity firm CybelAngel, the attackers gained access to Oracle’s Gen 1 Cloud (Oracle Cloud Classic) servers as early as January 2025.
The hackers allegedly:
✔ Used a 2020 Java exploit to deploy a web shell and malware
✔ Exfiltrated data from Oracle Identity Manager (IDM)
✔ Stole user emails, hashed passwords, and usernames
The breach was detected in late February, but by that time, a threat actor had already put 6 million data records up for sale on BreachForums.
Threat actor selling data allegedly stolen from Oracle Cloud (BleepingComputer)
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Oracle Denies Cloud Breach as Leaked Data Circulates
Despite mounting evidence, Oracle has consistently denied that Oracle Cloud was breached, telling BleepingComputer:
“There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud.”
However, archived URLs show that the attacker uploaded files to Oracle’s servers, a claim Oracle has not addressed. Multiple companies have also confirmed that samples of leaked LDAP data, email addresses, and usernames are authentic.
Security experts believe Oracle is using wordplay to downplay the breach. Cybersecurity analyst Kevin Beaumont explains:
“Oracle rebadged old Oracle Cloud services to be Oracle Classic. Oracle Classic has the security incident.”
While technically true, the affected services were still Oracle-managed cloud platforms, raising questions about transparency.
Oracle Health Breach: Patient Data Stolen, Hospitals Extorted
Separately, Oracle has notified clients about a breach at Oracle Health (formerly Cerner), which has compromised patient data across multiple U.S. hospitals.
How the Oracle Health Breach Unfolded:
✔ Attack detected on February 20, 2025
✔ Hackers used stolen customer credentials to access legacy data migration servers
✔ Impacted hospitals are now being extorted for millions
A threat actor known as “Andrew” is demanding cryptocurrency payments in exchange for not leaking sensitive patient data. The hacker has even created public websites to pressure hospitals into paying the ransom.
Trending: Offensive Security Tool: DS Viper
Oracle Faces Scrutiny as Investigations Continue
Despite multiple attempts by journalists to obtain further comments, Oracle has not publicly disclosed the full impact of either breach.
With CrowdStrike, the FBI, and cybersecurity firms now investigating, Oracle may soon be forced to provide clearer answers about the true scale of these breaches.
For now, impacted users and organizations are urged to:
✔ Reset passwords linked to Oracle Cloud and Oracle Health
✔ Enable multi-factor authentication (MFA) for all accounts
✔ Monitor for suspicious activity related to compromised credentials
With stolen credentials now in circulation, further attacks could be imminent.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
