Multiple Oracle cloud customers have reached out to me to say Oracle have now confirmed a breach of their services.
They are only doing so verbally, they will not write anything down, so they’re setting up meetings with large customers who query.
Oracle Health customers dealing with the breach there of patient PII, if you’ve had a verbal briefing could you please Signal me? GossiTheDog.1337
I’m interested to see if they’ve told you it was in legacy Oracle Classic aka OCI Gen1 environments, like they have with Oracle Cloud customers - I’m trying to line up if the breaches are actually related.
It appears Oracle migrated people off OCI G1 a few years ago, but left the systems on and unpatched with customer data.
Heise has a look at the Oracle security incident. Oracle didn’t return request for comment when asked about Oracle Classic - I understand from multiple large outlets they’ve also declined to comment.
When I asked Oracle for comment, a PR person responded and offered a comment on the condition I not attribute it in any way to Oracle. When I said no, the PR person said Oracle was declining to comment.
A class action lawsuit has been filed in the US around Oracle failing to publicly disclose a breach of Oracle Health. https://storage.courtlistener.com/recap/gov.uscourts.txwd.1172831612/gov.uscourts.txwd.1172831612.1.0.pdf
@GossiTheDog are they not beholden to breach reporting requirements?
Meanwhile, on the Oracle cloud front, Oracle’s silence is deafening.
We have an update. Reuters and Bloomberg confirm my blog, that’s there’s a security incident going on at Oracle cloud. Oracle declined to comment, after lying to @BleepingComputer and other outlets on the record.
CrowdStrike is the IR company.
“Oracle staff acknowledged to some clients this week that an attacker had gotten into a legacy environment, Bloomberg News report said.”
“The company informed customers that the system has not been in use for eight years and that the stolen client credentials therefore pose little risk, the report added. The stolen data included Oracle customer log-in credentials from as recently as 2024, the report said.”
This would be Oracle Classic, aka Gen1. I’ve been told the systems were left online after migration.. unpatched.
Oracle are trying to play legacy angle - but what else was stolen? What else did the attacker do? Why cover up?
The Bloomberg article is paywall so here’s screenshots.
Yeah, by legacy system Oracle mean ‘a system we manage housing active customer data’. They’ve also been telling people it isn’t Oracle Cloud.. but it is, and they know it is, they’re just doing customer talking points to wordsmith around it.
Oracle were still trying to get SaaS solutions *they* manage off Oracle Classic aka Gen1 as of 2023. They made a mess of it.
To answer my own question up thread - from talking to people, the Oracle Health breach appears to be unrelated to the Oracle SaaS incident this thread describes.
In both cases they’re being extorted, and in both cases they’re working with the FBI and external incident response.
Also in both cases Oracle hasn’t filed an 8-K or told regulators or provided an IR report to customers or a written technical statement of what happened or put anything on their website or commented to press.
Bleeping Computer report that although Oracle are telling clients the login data is "old", they've received login details from the threat actor current to this year (2025). Oracle haven't returned requests for comment. https://www.bleepingcomputer.com/news/security/oracle-privately-confirms-cloud-breach-to-customers/
The Oracle cloud threat actor has told the BBC they plan to release European region Oracle Cloud Classic data this weekend. #threatintel
The Register has a look at the Oracle situation. No new info, as Oracle won’t comment on anything and the info they’ve told customers is extremely light.
https://www.theregister.com/2025/04/08/oracle_cloud_compromised/
Oracle have finally issued to a written notification to customers about their cybersecurity incident.
They are again wordsmithing. OCI is a different org unit in Oracle to Oracle Classic - they’re denying a different scope.
How long was the attacker in the SaaS solution (that Oracle manage)? What did they do with the access? How long were they in for? Why were ‘legacy’ systems containing customer info left unmanaged and insecure? Etc.
Really poor response from a SaaS provider.
@dangoodin @GossiTheDog what, so they were expecting you to report “some unspecified random person told me that Oracle…” ?