Oracle are denying a breach to @BleepingComputer, but the threat actor has provided an archived URL which suggests they somehow uploaded a file to the Oracle Access Manager (SaaS solution) frontend.

web.archive.org/web/2025030116…

Hudson Rock are reporting the Oracle Cloud breach claim threat actor has provided 10k records, and they appear genuine according to one of their customers.

linkedin.com/posts/alon-gal-ut…

It’s unclear to me exactly what is happening with this one as the threat actor doesn’t appear to understand basic English grammar.. but there are signs something has happened at Oracle.

Big problem for Oracle as I’m not sure how plausible denials will be when threat actor, who sounds 12, is dumping data online.

CloudSEK are doubling down on their Oracle Cloud breach reporting, despite a denial from Oracle: cloudsek.com/blog/part-2-valid…

I am still looking into this and will probably do a blog post this week. The threat actor is still dropping files everywhere and they do tend to point to a security incident at Oracle Cloud.

Part 2: Validating the Breach Oracle Cloud Denied – CloudSEK’s Follow-Up Analysis

On March 21, 2025, CloudSEK’s XVigil platform flagged a significant threat—a threat actor offering 6 million exfiltrated records from Oracle Cloud for sale.

^{Rahul Sasi (CloudSEK)}

Bleeping Computer say multiple Oracle customers confirm their customer data has been stolen. Oracle continue to deny there is a problem.

bleepingcomputer.com/news/secu…

Also, that YouTube video I linked above has two hours of audio of Oracle employees talking. I haven’t transcribed it yet.

Separately, the threat actor has shared what they claim to be current config files from Oracle Cloud servers with a different reporter.

I’m deliberately staying out of this one for now as I’m trying to finish Assassin’s Creed Shadows first.. but I think Oracle may have a pending PR disaster when the TikTok deal is due to complete.

There’s now been a data breach at Oracle Health, which is separate to the ongoing security issue at Oracle Cloud.

Oracle have not commented publicly on the breach, instead telling people to only talk to their CISO by phone, not in writing. They’ve sent out letters without Oracle letterheads, using external lawyers instead.

The behaviour going on at Oracle with cybersecurity is extremely alarming.

bleepingcomputer.com/news/secu…

Going back to the Oracle Cloud security incident, the 2019 video posted by the threat actor: youtu.be/375_G9wAffo

Now has an audio transcription github.com/j-klawson/oracle_br…

(I’ve redacted the root passwords from screenshot)

The wordplay here is Oracle Cloud.

Oracle rebadged old Oracle Cloud services to be Oracle Classic. Oracle Classic has the security incident.

They’re denying it on “Oracle Cloud” by using this scope - but it’s their cloud service.

Multiple Oracle cloud customers have reached out to me to say Oracle have now confirmed a breach of their services.

They are only doing so verbally, they will not write anything down, so they’re setting up meetings with large customers who query.

Oracle Health customers dealing with the breach there of patient PII, if you’ve had a verbal briefing could you please Signal me? GossiTheDog.1337

I’m interested to see if they’ve told you it was in legacy Oracle Classic aka OCI Gen1 environments, like they have with Oracle Cloud customers - I’m trying to line up if the breaches are actually related.

It appears Oracle migrated people off OCI G1 a few years ago, but left the systems on and unpatched with customer data.

Heise has a look at the Oracle security incident. Oracle didn’t return request for comment when asked about Oracle Classic - I understand from multiple large outlets they’ve also declined to comment.

heise.de/en/news/Data-leak-at-…

We have an update. Reuters and Bloomberg confirm my blog, that’s there’s a security incident going on at Oracle cloud. Oracle declined to comment, after lying to @BleepingComputer and other outlets on the record.

CrowdStrike is the IR company.

“Oracle staff acknowledged to some clients this week that an attacker had gotten into a legacy environment, Bloomberg News report said.”

reuters.com/technology/cyberse…

“The company informed customers that the system has not been in use for eight years and that the stolen client credentials therefore pose little risk, the report added. The stolen data included Oracle customer log-in credentials from as recently as 2024, the report said.”

This would be Oracle Classic, aka Gen1. I’ve been told the systems were left online after migration.. unpatched.

Oracle are trying to play legacy angle - but what else was stolen? What else did the attacker do? Why cover up?

Yeah, by legacy system Oracle mean ‘a system we manage housing active customer data’. They’ve also been telling people it isn’t Oracle Cloud.. but it is, and they know it is, they’re just doing customer talking points to wordsmith around it.

infosec.exchange/@Fringedcrow/…

To answer my own question up thread - from talking to people, the Oracle Health breach appears to be unrelated to the Oracle SaaS incident this thread describes.

In both cases they’re being extorted, and in both cases they’re working with the FBI and external incident response.

The Register has a look at the Oracle situation. No new info, as Oracle won’t comment on anything and the info they’ve told customers is extremely light.

theregister.com/2025/04/08/ora…

Oracle says its cloud was in fact compromised

: Reliability, honesty, accuracy. And then there's this lot

^{Iain Thomson (The Register)}

Oracle have finally issued to a written notification to customers about their cybersecurity incident.

They are again wordsmithing. OCI is a different org unit in Oracle to Oracle Classic - they’re denying a different scope.

How long was the attacker in the SaaS solution (that Oracle manage)? What did they do with the access? How long were they in for? Why were ‘legacy’ systems containing customer info left unmanaged and insecure? Etc.

Really poor response from a SaaS provider.