Oracle officially acknowledges security incident that exposed login data



On March 21, 2025, a hacker calling himself 'rose87168' stole and sold approximately 6 million customer records from

the single sign-on (SSO) login server of Oracle's cloud service ' Oracle Cloud .' In response to this, Oracle initially issued a statement that 'no unauthorized access had occurred,' but in April 2025, Oracle reportedly acknowledged the unauthorized access and reported the fact to its customers.

Oracle (ORCL) Tells Clients of Second Recent Hack, Log-in Data Stolen - Bloomberg
https://www.bloomberg.com/news/articles/2025-04-02/oracle-tells-clients-of-second-recent-hack-log-in-data-stolen



Oracle tells clients of second recent hack, log-in data stolen, Bloomberg News reports | Reuters

https://www.reuters.com/technology/cybersecurity/oracle-tells-clients-second-recent-hack-log-in-data-stolen-bloomberg-news-2025-04-02/

On March 21, 2025, a threat actor going by the name 'rose87168' claimed on a hacking forum that he had 'stolen 6 million SSO passwords, keystore files, key files, etc. from Oracle Cloud's SSO login server' and offered them for sale.



Furthermore, rose87168 claims that he 'uploaded a text file containing his email address to 'login.us2.oraclecloud.com', which is controlled by Oracle,' and provides

an Internet Archive URL as evidence.

In response, Oracle released a statement saying, 'There was no data leak on Oracle Cloud. The login credentials published by the threat actor are not from Oracle Cloud. Therefore, no Oracle Cloud customers are at risk.' Meanwhile, it has been reported that they have requested the removal of the Internet Archive page that rose87168 presented as evidence.

Oracle is trying to hide serious security incidents that occurred on its cloud from customers by asking the Internet Archive to delete them - GIGAZINE



'Oracle is trying to evade responsibility in the Oracle Cloud fiasco with clever rhetoric. This is unacceptable. Oracle needs to be clear and open about what happened and how it will affect customers,' Medium wrote in a statement to Oracle.

Then, in April 2025, Oracle notified some of its clients that hackers had broken into its computer systems and accessed usernames, passkeys, and encrypted passwords, acknowledging the fact of the unauthorized access. According to sources, Oracle is investigating the incident in collaboration with the FBI and cybersecurity company CrowdStrike. It has also been reported that the hackers have demanded a ransom for data from Oracle.

According to Oracle, the attackers broke into a system that had not been used for eight years, called a 'legacy environment.' Therefore, they have notified customers that 'the stolen client credentials are unlikely to pose a risk.' However, one official said, 'The stolen data included login credentials for Oracle customers up to 2024.'

Carl Sigler, senior security research manager at cybersecurity firm Trustwave SpiderLabs Threat Intelligence, confirmed that the data being sold by rose87168 was stolen from Oracle, saying, 'The data is a rich data set that hackers can use to send phishing emails to their targets and take over user accounts.'

Related Posts:

in Software,   Security, Posted by log1r_ut