Oracle has admitted to some customers that attackers breached a legacy system and stole old client login credentials, Bloomberg reported, citing sources familiar with the matter. The breach, which was first reported in March, marks the second cybersecurity incident Oracle has disclosed to clients within a month. The FBI and cybersecurity firm CrowdStrike Holdings are reportedly investigating the incident.
The company stated that the compromised system was last used in 2017 and does not contain sensitive information. However, the threat actor behind the attack has reportedly shared data from late 2024 with BleepingComputer and posted additional records from 2025 on a hacking forum.
Oracle denies cloud breach
News of a possible breach first emerged from cybersecurity firm CybelAngel, which reported that an attacker accessed Oracle’s Gen 1 servers as far back as January 2025. The firm further claimed that the attackers exploited a 2020 Java vulnerability to deploy a web shell and other malware, before a hacker known as ‘rose87168’ attempted to sell 6m data records on BreachForums in March. The individual also shared sample data, including LDAP information and a list of affected companies, as proof of the breach.
Cybersecurity firm Trustwave later validated that the data being sold online had been extracted from Oracle. The attacker may have accessed the Oracle Identity Manager (IDM) database, which stores user emails, hashed passwords, and usernames. BleepingComputer also verified with multiple companies that additional samples of the leaked data provided by the threat actor were authentic.
However, Oracle has consistently denied reports of a breach in its current cloud services. “There has been no breach of Oracle Cloud,” Oracle said in a statement to customers, as seen by Bloomberg News. “The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”
Cybersecurity experts have pointed out that the affected system—Oracle Cloud Classic—was previously part of Oracle’s cloud services. Cybersecurity expert Kevin Beaumont argued that Oracle appears to be differentiating between ‘Oracle Cloud’ and ‘Oracle Cloud Classic’ to downplay the breach. “Oracle [is] denying [the breach took place] on “Oracle Cloud” by using this scope,” wrote Beaumont, “but it’s still Oracle cloud services that Oracle manage. That’s part of the wordplay.”
Last month, Oracle’s Federal Electronic Health Record (EHR) service experienced a nationwide outage that disrupted operations across multiple US government agencies. The incident affected medical facilities operated by the VA, the US Coast Guard, the Department of Defense, and the National Oceanic and Atmospheric Administration, restricting access to patient records and clinical tools. Recently, Oracle also notified customers of this breach, where allegedly patient data was stolen.
Read more: Oracle projects significant growth amid AI cloud expansion
