Oracle’s ongoing denial of a major security breach has left potential victims and cyber investigators asking: Is Oracle lying?
In late March, hacker ‘rose87168’ (Rose) wrote about an absurdly large data breach of Oracle Cloud on a popular hacking forum, claiming the alleged theft of some six million security credentials across 140,000 companies – of which more than 1,600 had Australian internet domains.
Despite an Oracle spokesperson stating there had been “no breach of Oracle Cloud” and no customers had “lost any data,” two anonymous sources have since advised Bloomberg that Oracle Corp told customers a hacker broke into a computer system and stole “old client log-in credentials”.
According to the sources, Oracle staff acknowledged to some clients an attacker had gotten into a “legacy environment”.
These clients were reportedly told the attacker gained access to usernames, passkeys and encrypted passwords – matching most of what Rose claimed to have stolen – while both the Federal Bureau of Investigation (FBI) and cybersecurity firm CrowdStrike are reportedly investigating the incident.
Information Age has confirmed two well-known Australian organisations on Rose’s alleged victim list have been in contact with Oracle over the incident, although neither agreed to be named.
Wordsmithing at its finest
Taken literally, Oracle’s statement that “no breach of Oracle Cloud occurred” appears to be true, as the company delineates its current ‘Oracle Cloud’ offering from an older platform now called Oracle Cloud Classic.
Security researcher Kevin Beaumont noted Oracle “rebadged old Oracle Cloud services to be Oracle Classic”, with the incident belonging specifically to Oracle Classic.
“Oracle are attempting to wordsmith statements around Oracle Cloud and use very specific words to avoid responsibility,” wrote Beaumont.
“Oracle are denying it on “Oracle Cloud” by using this scope – but it’s still Oracle cloud services that Oracle manage.”
Richard Berkahn, partner and co-head of First Response at Atmos, newly established dedicated cyber law firm in Australia and New Zealand, suggested Oracle’s “absence of any decisive communications” marked a missed opportunity.
“We don't know what the conversations in the Oracle boardroom have been.
“Maybe Oracle was trying to do the right thing by validating the threat before communicating with customers, thereby limiting communications to impacted customers only.
“The rub here, and the missed opportunity, was Oracle taking ownership of the threat response. “They could have stated that they are investigating with urgency and told customers what they could do in the interim to mitigate against an unvalidated potential threat to user credentials.
“Whether Oracle has 'wordsmithed' the initial communications is now a matter for them to explain as they work through this.”
Did Oracle scrub evidence?
The earliest supporting evidence of the alleged hack was Rose’s use of an archival Wayback Machine link to suggest they, at some point, had access to an Oracle-managed server named login.us2.oraclecloud.com.
Cybersecurity outfit CloudSek determined the server appeared to be running Oracle Fusion Middleware 11G, an application platform which housed a critical vulnerability tied to Rose’s alleged breach.
The archive link, which initially returned a text file displaying Rose’s email address on the Oracle server, has since been scrubbed from the Wayback Machine: leading Beaumont to allege Oracle issued a takedown request.
“Oracle have since requested Archive.org take down the proof,” said Beaumont.
The hacker has since backed their evidence with a recording of what appears to be an internal Oracle meeting, as well as alleged proof of them logging into a victim’s client environment and talking with Oracle Cloud online support.
Cybersecurity firm CybelAngel meanwhile suggested the breach involved a 2020 Java exploit which enabled a hacker to install malware.
Hacker’s samples include fresh data
Bloomberg’s sources claim Oracle told customers the impacted legacy system hadn’t been in use for eight years, and the stolen client credentials therefore posed little risk.
Rose’s early data samples indeed had outdated timestamps, though Alon Gal, co-founder of cybersecurity intelligence company Hudson Rock, later confirmed some leaked records were as recent as 2023 and 2024.
While it’s unclear what legacy system may have been impacted, Information Age understands certain 11G systems can still be used at a reduced capacity, without access to new security patches.
Berkahn added there are a “lot of unknowns”, particularly around whether the threat actor is “exaggerating their claims” in an attempt to beef up their leverage and extort Oracle or its customers.
“We don't know if this is a combo list of recycled passwords sourced elsewhere, even if there appears to be some truth to the threat actor's claims,” said Berkahn.
The hacker has meanwhile threatened to share more data samples in coming days.
Separate incident at Oracle Health
Adding to the confusion was a separate data breach at Oracle’s healthcare subsidiary, Oracle Health.
Last month, Oracle alerted some healthcare customers that hackers accessed company servers and copied patient data to an outside location, Bloomberg reported.
The wholly separate incident was said to have occurred sometime after 22 January.
Oracle has not publicly disclosed the reported incident at the time of writing.
Meanwhile, Florida resident Michael Toikach has filed a lawsuit over the alleged data breaches, claiming Oracle contravened Texas notification laws by not informing alleged victims within 60 days of becoming aware of a breach.
Oracle did not respond to Information Age’s request for comment.
