Two Oracle data security breaches have been reported in the past week, and the database goliath not only remains reluctant to acknowledge the disasters publicly – it may be scrubbing the web of evidence, too.
On March 20, 2025, a netizen using the handle rose87168 claimed to have accessed at least two login systems for the IT giant’s cloud customers, allowing them to swipe what’s said to be six million records – copies of subscribers’ encrypted single-sign-on (SSO) passwords, encrypted LDAP passwords, security certificates, and more.
Oracle quickly denied its networks and clients had been compromised.
“There has been no breach of Oracle Cloud,” a spokesperson told The Register on Friday, March 21. “The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”
The netizen then sent evidence in the form of a 10,000-line sample of what was said to be stolen Oracle-hosted data to Alon Gal, co-founder and CTO at security shop Hudson Rock.
Gal said he presented this information to some Oracle customers, who confirmed it appeared to be legitimate, in that it was their private data entrusted to Oracle and yet was now seemingly in the hands of others.
The evidence included a database extract containing personal information of customers’ employees, sample LDAP records, and a list of supposedly affected companies.
Around the same time, infosec outfit CloudSEK published an analysis of the purported security breach and concluded the sample data corresponds to the production systems of real customers. According to the biz, the intrusion, involving a compromised Oracle SSO service, potentially affects thousands of tenants.
The break-in, according to Orca Security as well as CloudSEK, involved the abuse of CVE-2021-35587, an “easily exploitable vulnerability [that] allows [an] unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager.” A fix for that bug was released by the tech giant in early 2022.
Thus it’s claimed Oracle didn’t patch a known years-old hole in its own public-facing middleware on its own production SSO servers for its own cloud service, allowing someone to swoop in and grab sensitive customer data.
Meanwhile, Big Red reportedly told Oracle Health customers recently that patient data may have been taken by unknown online attackers. The biz is said to have sent a letter to some healthcare customers about an incident that occurred on or around February 20, 2025, in which stolen credentials were used to access customer data.
According to Reuters, the FBI is investigating the incident.
Asked on Monday to comment, Oracle has yet to respond.
Here come the lawsuits…
Today, Oracle was sued [PDF] for negligence and breach of contract over its alleged failure to properly secure its systems and to notify customers in a timely manner.
The federal-level lawsuit, filed in west Texas, seeks class action status, and targets both the Cloud and Health reported security breaches. It demands damages, costs, and promises from Oracle to better protect its customers, data, and computers.
Gal on Monday questioned Oracle’s ongoing silence in a LinkedIn post, and said rose87168 may take further action to demonstrate an Oracle Cloud compromise had occurred.
“With no word from Oracle yet … rose87168 is indicating they are moving to a new phase, potentially selling or leaking the data,” said Gal. “Pretty crazy Oracle just denied this leak which has been verified independently by many cybersecurity firms.”
Oracle are attempting to wordsmith statements around Oracle Cloud and use very specific words to avoid responsibility
Infosec expert Kevin Beaumont also chided Oracle for trying to duck responsibility for the alleged Oracle Cloud breach, noting the firm appears to be splitting hairs by drawing a distinction between Oracle Cloud and Oracle Cloud Classic.
That is to say, the US super-corp claims Oracle Cloud was not infiltrated, though that leaves the door open to Oracle Cloud Classic being the specific product that was compromised. A distinction without a difference: Part of Oracle’s public cloud offering was broken into, according to rose87168 and others.
“Oracle are attempting to wordsmith statements around Oracle Cloud and use very specific words to avoid responsibility,” wrote Beaumont. “This is not okay. Oracle need to clearly, openly and publicly communicate what happened, how it impacts customers, and what they’re doing about it. This is a matter of trust and responsibility. Step up, Oracle – or customers should start stepping off.”
Beaumont and Jake Williams, another security researcher, both alleged Oracle appears to have used the Internet Wayback Machine’s archive exclusion process to scrub evidence of the intrusion.
rose87168 left a text file on one of Oracle’s production login systems for its cloud service customers as proof they were there; the file contained the netizen’s private email address, and only an intruder or rogue insider could have placed the file there. That text file was visible to the world, and indexed by the Wayback Machine here, though that document has now been removed upon request.
A copy of it can still be found here, by twiddling the URL slightly, from a capture of login.us2.oraclecloud.com on March 1, a whole month ago. ®
Do you know what the score is? Let us know, in confidence.