Oracle’s Cybersecurity Breach: A Shocking Revelation and Its Aftermath

Listen to this Post

Oracle Corporation recently confirmed to selected clients that hackers breached a “legacy” computer system and stole valuable login credentials, following weeks of public denials about any security incidents. This disclosure marks a sharp reversal from Oracle’s previous stance, which initially denied any breach, and it stands as the second major cybersecurity incident the company has revealed to its clients in recent months.

the Oracle Breach Incident

Oracle staff notified specific clients that attackers had gained unauthorized access to a so-called “legacy environment,” allowing them to steal authentication data. This includes usernames, passkeys, and encrypted passwords. Notably, the breach was traced back to Oracle’s Gen 1 (Oracle Cloud Classic) servers, which had been compromised using a Java vulnerability that dates back to 2020. Hackers installed a web shell and additional malware on the affected systems, thus securing access to critical information such as user emails, usernames, and hashed passwords from Oracle Identity Manager (IDM).

The breach was first discovered in late February 2025, and the FBI, along with cybersecurity firm CrowdStrike, was called in to investigate. The attack’s discovery came shortly after a hacker, using the alias “rose87168,” attempted to sell a cache of 6 million stolen records on BreachForums. These records included database content, LDAP information, and a client list, all purportedly stolen from Oracle Cloud’s federated SSO login servers. According to cybersecurity firm CloudSEK, this incident compromised over 140,000 tenants, exposing critical assets like encrypted SSO passwords, JKS files, and enterprise manager JPS keys.

In response to earlier reports of the breach, Oracle had vehemently denied any security compromise. The company initially claimed there was no breach of Oracle Cloud, no lost data, and that the published credentials were unrelated to Oracle Cloud systems. Security experts criticized Oracle for its “wordplay” by rebranding older Oracle Cloud services as “Oracle Classic” to avoid admitting a breach of its modern cloud infrastructure.

Moreover, while Oracle downplayed the situation by claiming that the compromised systems were no longer active, evidence suggests otherwise. Hackers posted data records from 2025 on a hacking forum, further complicating Oracle’s assertions and highlighting discrepancies regarding the breach’s timeline. The attack has raised serious concerns over cloud security practices and the isolation of tenants in cloud environments.

What Undercode Says: An Analytical Take on

This incident with Oracle is far from a simple case of a hacker exploiting a known vulnerability. It reveals a much deeper issue within cloud security practices, especially when it comes to the way legacy systems are maintained and isolated from more modern cloud infrastructure. Oracle’s use of the term “legacy environment” is a critical point in this scenario. By rebranding older infrastructure as something distinct from their current Oracle Cloud services, the company may have attempted to deflect attention from a breach of their more up-to-date platforms. This strategy, however, appears to have backfired, as security professionals have pointed out the inconsistency in Oracle’s messaging.

One of the most concerning aspects of this breach is the persistence of vulnerabilities in legacy systems. The fact that Oracle’s Gen 1 Cloud Classic servers remained exposed due to a Java vulnerability from 2020 shows how companies often fail to address vulnerabilities in older infrastructure. This breach serves as a cautionary tale for businesses that rely on outdated technology but may not realize the risks posed by such legacy systems. The hacker’s ability to install malware and a web shell points to a lack of robust monitoring and patching protocols that should have been in place long before the breach occurred.

Additionally, the breach’s impact is far-reaching. With over 140,000 tenants potentially affected, the stolen data goes beyond simple usernames and passwords. The compromised information includes encrypted authentication details, which could open doors for further exploitation if the hackers manage to decrypt the stolen data. The exposure of such sensitive information is particularly alarming in the context of cloud security, where multiple clients share the same resources. The lack of proper isolation between tenants can allow an attacker to access not just one company’s data but the data of others sharing the same infrastructure.

Another critical issue raised by this incident is

While Oracle has committed to working with law enforcement and cybersecurity experts to address the breach, the damage has already been done. This incident underscores the importance of companies ensuring the security of both their current and legacy systems. Additionally, it highlights the need for greater accountability in the tech industry when it comes to cybersecurity breaches, as companies must prioritize transparency and swift action to protect their clients’ sensitive data.

Fact Checker Results

  1. Oracle has indeed confirmed a breach, which was initially denied.
  2. The breach occurred on Oracle Cloud Classic systems, compromising sensitive client data.
  3. The stolen data, including encrypted passwords and authentication keys, has been exposed on hacker forums.

References:

Reported By: cyberpress.org
Extra Source Hub:
https://www.reddit.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image