Being a provider of cloud SaaS (Software-as-a-service) solutions requires certain cybersecurity responsibilities — including being transparent and open. The moment where this is tested at Oracle has arrived, as they have a serious cybersecurity incident playing out in a service they manage for customers.
Back on March 21st, Bleeping Computer ran a story around a threat actor named rose87168 claiming to have breached some Oracle services inside *.oraclecloud.com
Oracle told Bleeping Computer, and customers, “There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data”
The threat actor then posted an archive.org URL and provided it to Bleeping Computer, strongly suggesting they had write access to login.us2.oraclecloud.com, a service using Oracle Access Manager. This server is entirely managed by Oracle:
Oracle have since requested Archive.org take down the proof:
The threat actor then provided a several hour long recording of an internal Oracle meeting, complete with Oracle employees talking for two hours:
The meeting is viewable here and the transcript is here:
https://github.com/j-klawson/oracle_breach_2025/blob/main/youtube_video_transcript.txt
The two hour video includes things like accessing internal Oracle password vaults, and customer facing systems:
Both Hudson Rock and Bleeping Computer were then able to confirm with Oracle customers that their data — including staff email addresses — was in data released by the threat actor:
The threat actor, rose87168, is still active online and releasing data — and threatening to release more:
They have also released data to cybersecurity threat intelligence providers.
In data released to a journalist for validation, it has now become 100% clear to me that there has been cybersecurity incident at Oracle, involving systems which processed customer data.
For example, the threat actor has publicly provided complete Oracle configuration files — current, too. As one example, they have provided Oracle webserver configuration files:
All the systems impacted are directly managed by Oracle. Some of the data provided to journalists is current, too. This is a serious cybersecurity incident which impacts customers, in a platform managed by Oracle.
Oracle are attempting to wordsmith statements around Oracle Cloud and use very specific words to avoid responsibility. This is not okay. Oracle need to clearly, openly and publicly communicate what happened, how it impacts customers, and what they’re doing about it. This is a matter of trust and responsibility. Step up, Oracle — or customers should start stepping off.
Update 1 — Oracle rebadged old Oracle Cloud services to be Oracle Classic. Oracle Classic has the security incident.
Oracle are denying it on “Oracle Cloud” by using this scope — but it’s still Oracle cloud services that Oracle manage. That’s part of the wordplay.
Update 2 — although Oracle used the archive.org exclusion process to remove evidence of writing to one of the Oraclecloud.com webservers, they forgot to remove the 2nd URL (click picture for hyperlink).
English (US) ·