Oracle has informed its customers via email that a hacker accessed and leaked credentials from two outdated servers. However, the company insisted that its Oracle Cloud servers were unaffected and that its customer data and cloud services remained secure.
“Oracle would like to state unequivocally that the Oracle Cloud – also known as Oracle Cloud Infrastructure or OCI – has NOT experienced a security breach,” said Oracle in a customer notification shared with BleepingComputer. “No OCI customer environment has been penetrated. No OCI customer data has been viewed or stolen. No OCI service has been interrupted or compromised in any way,” it added in emails sent from replies@oracle-mail.com, prompting customers to contact Oracle Support or their account manager if they have additional questions.
“A hacker did access and publish user names from two obsolete servers that were never a part of OCI. The hacker did not expose usable passwords because the passwords on those two servers were either encrypted and/or hashed. Therefore the hacker was not able to access any customer environments or customer data.”
Hacker attempts sale of six million records from obsolete Oracle servers
The security incident came to light in March when a threat actor, known as rose87168, attempted to sell six million data records on BreachForums. Oracle has consistently denied any breach of its Oracle Cloud, stating that the incident involved an older platform, Oracle Cloud Classic.
The hacker provided sample data, including LDAP information and a list of affected companies, to support claims of the breach. Oracle has not yet confirmed whether the customer notifications are authentic or if they were distributed by the threat actor or another party. Furthermore, Oracle has not specified whether the compromised servers are part of Oracle Cloud Classic or another system.
Recently, Oracle informed some clients that a legacy system was breached, resulting in the theft of old client login credentials. This incident is the second cybersecurity breach Oracle has disclosed to clients within a month. The FBI and cybersecurity firm CrowdStrike are reportedly investigating the matter. Oracle stated that the compromised system was last used in 2017 and does not hold sensitive information. However, the threat actor allegedly shared data from late 2024 with BleepingComputer and posted additional records from 2025 on a hacking forum.
Cybersecurity firm Trustwave confirmed that the data being sold online was extracted from Oracle. It is believed that the hacker may have accessed the Oracle Identity Manager (IDM) database, which contains user emails, hashed passwords, and usernames.
Read more: Oracle admits data breach to some clients, investigations underway
