{"id":2725,"date":"2025-04-10T20:07:15","date_gmt":"2025-04-10T20:07:15","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2725"},"modified":"2025-04-10T20:07:15","modified_gmt":"2025-04-10T20:07:15","slug":"oracle-admits-breach-of-obsolete-servers-denies-main-cloud-platform-affected","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2725","title":{"rendered":"Oracle admits breach of \u2018obsolete servers,\u2019 denies main cloud platform affected"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Oracle has continued to downplay a data breach it suffered earlier this year, insisting in an email sent to customers this week that the hack did not involve its core platform, Oracle Cloud Infrastructure (OCI).<\/p>\n<p>Normally, a denial like this would be the end of the story, but the circumstances of this breach and Oracle\u2019s confusing response to it over recent weeks have left some questioning the company\u2019s account of the incident.<\/p>\n<p>This week\u2019s email, forwarded to this publication by Oracle, claimed that the incident involved \u201ctwo obsolete servers\u201d unconnected to the OCI or any customer cloud environments.<\/p>\n<p>\u201cOracle would like to state unequivocally that the Oracle Cloud \u2014 also known as Oracle Cloud Infrastructure or OCI \u2014 has NOT experienced a security breach,\u201d stated the letter.<\/p>\n<p>\u201cNo OCI customer environment has been penetrated. No OCI customer data has been viewed or stolen. No OCI service has been interrupted or compromised in any way,\u201d it continued.<\/p>\n<p>\u00a0No usable passwords were exposed because these were \u201cencrypted and\/or hashed.\u201d<\/p>\n<p>\u201cTherefore, the hacker was not able to access any customer environments or customer data,\u201d the email concluded.<\/p>\n<h2 class=\"wp-block-heading\">Breach timeline<\/h2>\n<p>But if the \u201ctwo obsolete servers\u201d weren\u2019t part of the OCI system, what were they part of? And what, if any, customer data did the hacker access? At this point, the opinions of security researchers and the counter-assertions by Oracle, start to diverge.<\/p>\n<p>The fact that a breach of some kind had occurred was first made public in March, when a hacker using the moniker \u2018rose87168\u2019 publicized on a breach forum their theft of six million single sign on (SSO) and Lightweight Directory Access Protocol (LDAP) credentials, among other sensitive data, allegedly stolen from the Oracle Cloud platform.<\/p>\n<p>If true, that would be a big deal; SSO and LDAP credentials, even if competently hashed, are not something any cloud provider or customer would want to be in the hands of a third party.<\/p>\n<p>The hacker <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/oracle-denies-data-breach-after-hacker-claims-theft-of-6-million-data-records\/\">told<\/a> Bleeping Computer that they gained access to the Oracle system in February, after which they had attempted (and failed) to extort payment from Oracle in return for not releasing the data.<\/p>\n<p>But even if the hashes remained secure, other sensitive data could be used to mount targeted attacks, <a href=\"https:\/\/www.trustwave.com\/en-us\/resources\/blogs\/spiderlabs-blog\/trustwave-spiderlabs-threat-review-alleged-oracle-compromise\/\">noted<\/a> security company Trustwave:<\/p>\n<p>\u201cThe dataset includes PII, such as first and last names, full display names, email addresses, job titles, department numbers, telephone numbers, mobile numbers, and even home contact details,\u201d wrote Trustwave\u2019s researchers, pointing out that the consequences of such a breach could be expensive.<\/p>\n<p>\u201cFor the organizations affected, a leak like this one could result in data breach liabilities, regulatory penalties, reputational damage, operational disruption, and long-term erosion of client trust,\u201d they wrote.<\/p>\n<p>Oracle subsequently denied the breach claim, <a href=\"https:\/\/www.csoonline.com\/article\/3852643\/oracle-cloud-breach-may-impact-140000-enterprise-customers.html\">telling<\/a> the media: \u201cThe published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.\u201d<\/p>\n<p>In early April, the company changed tack slightly, admitting that it had been breached, but insisting that the data had <a href=\"https:\/\/www.bloomberg.com\/news\/articles\/2025-04-02\/oracle-tells-clients-of-second-recent-hack-log-in-data-stolen\">been taken<\/a> from a \u201clegacy environment\u201d (aka Oracle Classic) dating back to 2017. That story claimed that Oracle had <a href=\"https:\/\/www.csoonline.com\/article\/3953644\/oracle-quietly-admits-data-breach-days-after-lawsuit-accused-it-of-cover-up.html#:~:text=Oracle%20has%20finally%20admitted%20to,the%20breach%20from%20affected%20users\">started contacting customers<\/a>, mentioning that the FBI and CrowdStrike were investigating the incident.<\/p>\n<p>This incident was in addition to a <a href=\"https:\/\/www.csoonline.com\/article\/3951683\/oracle-warns-customers-of-health-data-breach-amid-public-denial.html\">separate data breach<\/a> \u2013 described as a \u201ccybersecurity event\u201d \u2013 affecting Oracle\u2019s healthcare subsidiary, Oracle Health.<\/p>\n<h2 class=\"wp-block-heading\">Doubts emerge<\/h2>\n<p>So far so good regarding Oracle\u2019s denials, except that the hacker subsequently shared data showing their access to login.us2.oraclecloud.com, a service that is part of the Oracle Access Manager, the company\u2019s IAM system used to control access to Oracle-hosted systems.<\/p>\n<p>It also emerged that some of the leaked data appeared to be from 2024 or 2025, casting doubt on Oracle\u2019s claim that it was old.<\/p>\n<p>So, was Oracle\u2019s main OCI platform breached or not?\u00a0 Not everyone is convinced by the company\u2019s flat denials. According to prominent security researcher Kevin Beaumont, the company was basically \u201cwordsmithing\u201d the difference between the Oracle Classic servers it admits were breached, and OCI servers, which it still maintains were not.<\/p>\n<p>\u201cOracle rebadged old Oracle Cloud services to be Oracle Classic. Oracle Classic has the security incident,\u201d noted Beaumont in <a href=\"https:\/\/doublepulsar.com\/oracle-attempt-to-hide-serious-cybersecurity-incident-from-customers-in-oracle-saas-service-9231c8daff4a\">a dissection<\/a> of the incident and Oracle\u2019s response on Medium.<\/p>\n<p>\u201cOracle are denying it\u2019s on \u2018Oracle Cloud\u2019 by using this scope \u2013 but it\u2019s still Oracle cloud services, that Oracle manage. That\u2019s part of the wordplay.\u201d Oracle had also quietly contacted multiple customers to confirm some kind of breach, he said.<\/p>\n<p>This leaves interested parties with the unsatisfactory sense that something untoward has happened, without it being clear what.<\/p>\n<p>For now, Oracle is sticking to its guns that its main OCI platform is not involved, but perhaps the confusion could have been avoided with better communication.<\/p>\n<p>Suffering a breach is hugely challenging for any organization but it sometimes pales beside the problems of communicating with customers, journalists, and the army of interested researchers ready to pick apart every ambiguity. Weeks on from the breach becoming public, those ambiguities have yet to be fully cleared up.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Oracle has continued to downplay a data breach it suffered earlier this year, insisting in an email sent to customers this week that the hack did not involve its core platform, Oracle Cloud Infrastructure (OCI). Normally, a denial like this would be the end of the story, but the circumstances of this breach and Oracle\u2019s [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":2726,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2725","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2725"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2725"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2725\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2726"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2725"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2725"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2725"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}