Oracle confirms in e-mail notifications to customers that a hacker stole and leaked login details. According to Oracle, the data was stored on two outdated servers.
However, the company claims that the Oracle Cloud servers were not compromised and that this incident did not affect customer data or cloud services. Oracle states unequivocally that the Oracle Cloud – also known as Oracle Cloud Infrastructure or OCI – did not experience a security breach. This is what the company reports in a customer notification that was shared with BleepingComputer.
The statement continues that no OCI customer environment was penetrated, nor was any OCI customer data viewed or stolen. No OCI service experienced an interruption or was compromised, the company added in emails sent from replies@oracle-mail.com. Oracle requests that customers contact Oracle Support or their account manager for further questions.
Encrypted passwords
The supplier explains that a hacker accessed two outdated servers never part of OCI. The usernames were leaked from these servers. The hacker did not expose any usable passwords because the passwords on those two servers were encrypted and/or hashed. Therefore, the hacker had no access to customer environments or customer data, Oracle reports.
Since the incident came to light in March, when a threat actor (rose87168) offered 6 million data records for sale on BreachForums, Oracle has consistently denied reports of a breach of Oracle Cloud in statements to the press. Although this technically matches what Oracle is telling its customers – that the breach involved an older platform, Oracle Cloud Classic – according to cybersecurity expert Kevin Beaumont, this is just a play on words.
He explains that Oracle renamed old Oracle Cloud services to Oracle Classic. Oracle Classic was affected by the security incident. Oracle denies it by using this definition for Oracle Cloud – but they are still Oracle cloud services that Oracle manages. So, according to Beaumont, it is a play on words.
BleepingComputer contacted Oracle to confirm whether these reports were legitimate and were not sent by the threat actor or another third party. The medium has not yet received a response. Oracle has not clarified whether the affected servers are part of Oracle Cloud Classic or another platform.
Legacy environment not used since 2017
This follows the company’s acknowledgment last week in private conversations with some customers that attackers had stolen old customer data after breaking into a legacy environment last used in 2017.
Although Oracle told customers that the data involved was non-sensitive old data from a legacy environment, the threat actor shared data with BleepingComputer from the end of 2024 and later posted newer data from 2025 on BreachForums.
BleepingComputer has also independently confirmed with multiple Oracle customers that samples of the leaked data (including LDAP display names, e-mail addresses, first names and other identifying information) that originated from the threat actor were valid.
Cybersecurity company CybelAngel revealed last week that Oracle had informed customers that an attacker had installed a webshell and additional malware on some of Oracle’s Gen 1 servers (also known as Oracle Cloud Classic) as early as January 2025. Until the breach was discovered at the end of February, the threat actor is believed to have stolen data from the Oracle Identity Manager (IDM) database, including user emails, hashed passwords and usernames.